For three months, the identity and access management service Okta allowed users to access accounts using only a username.
The vulnerability, which has been active since July, was identified in late October. The issue was in AD/LDAP Delegated Authentication (LDAP), a protocol for accessing stored usernames, passwords, e-mail addresses, and other data within directories. Okta uses LDAP to let users log in by accessing credentials from an organization’s Active Directory or Windows networked single sign-on system.
At least 52 characters
The vulnerability allowed three months to access accounts with user names of at least 52 characters. While this is an unusually long number, it does occur in practice. It allowed access without a password in certain situations, such as agent downtime and high network traffic.
The problem occurred in the cache key generation process, in which an algorithm hashes a combination of userID, username, and password. Retaining cached keys from previous successful login sessions allowed access with a longer username, provided the authentication request was associated with a cached key from previous sessions.
The vulnerability has since been fixed using a different algorithm for the hashing process. However, Okta recommends implementing additional security measures, such as multi-factor authentication, to prevent security problems better now and in the future.
Tip: The security platform beckons: what is it and what does it provide?