Okta: "Usernames with more than 52 characters can bypass login verification" serious security vulnerability has been fixed

PANews reported on November 2 that Okta, an identity and access management software provider, disclosed on its website that on October 30, 2024, a vulnerability was discovered internally in AD/LDAP DelAuth's generation of cache keys. The Bcrypt algorithm is used to generate cache keys, in which we hash the combined string of userId + username + password. Under certain conditions, this can allow users to authenticate by simply providing a stored cache key from a previously successfully authenticated username.

Okta said the vulnerability requires that the username must be equal to or longer than 52 characters each time a cache key is generated for a user. The affected products and versions are Okta AD/LDAP DelAuth as of July 23, 2024, and the vulnerability was resolved in Okta's production environment on October 30, 2024.