Okta Discloses Authentication Bypass Bug Affecting 52-Character Usernames

Published on November 5, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Authentication service Okta has identified and remedied a security vulnerability that posed a significant risk to accounts with usernames 52 characters or longer. This vulnerability allowed unauthorized access to Okta AD/LDAP Delegated Authentication (DelAuth) using only a username under specific conditions.

Discovered on October 30 and promptly addressed the same day, the bug was exploitable only for usernames of 52 characters or more, a condition that, while rare, is plausible, especially if usernames comprise lengthy email addresses.

For the exploit to succeed, the targeted account required a pre-existing successful login attempt with a stored cache key generated by the bcrypt algorithm—a hashed combination of userID, username, and password.

The exploit relied on the AD/LDAP agent being unreachable (possibly due to network traffic) and required that multi-factor authentication (MFA) be disabled or never implemented.

Okta advises its customers to scrutinize their logs for authentication attempts involving long usernames from July 23 onwards. The company has not disclosed any incidents of successful exploitation but strongly recommends implementing MFA at a minimum. 

Additionally, it encourages the use of phishing-resistant authenticators like Okta Verify FastPass and enforces phishing resistance for all applications.

Security engineer Yan Zhu from Brave noted that the bcrypt algorithm's treatment of lengthy inputs could result in any password being accepted if paired with a sufficiently long username. She suggests mitigating this risk by hashing inputs with SHA-256 before bcrypt.

It’s worth noting that, concerning the Snowflake breach, cybersecurity firm Hudson Rock reported that a threat actor used the stolen credentials of a Snowflake employee to bypass Okta.

UNC3944 used Okta abuse techniques to go beyond on-premises infrastructure to Cloud and SaaS applications, exploiting applications with Okta single sign-on (SSO) and using the Okta web portal to see what application tiles were available.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: