Okta Discloses Authentication Bypass Bug Affecting 52-Character Usernames

• Okta revealed a silly but serious security flaw that permitted unauthorized access to AD/LDAP DelAuth for usernames with over 52 characters.
• However, the now-patched authentication bypass vulnerability was exploitable in specific conditions.
• It required a pre-existing successful login attempt with a bcrypt-generated cache key and inactive MFA.

Authentication service Okta has identified and remedied a security vulnerability that posed a significant risk to accounts with usernames 52 characters or longer. This vulnerability allowed unauthorized access to Okta AD/LDAP Delegated Authentication (DelAuth) using only a username under specific conditions.

Discovered on October 30 and promptly addressed the same day, the bug was exploitable only for usernames of 52 characters or more, a condition that, while rare, is plausible, especially if usernames comprise lengthy email addresses.

For the exploit to succeed, the targeted account required a pre-existing successful login attempt with a stored cache key generated by the bcrypt algorithm—a hashed combination of userID, username, and password.

The exploit relied on the AD/LDAP agent being unreachable (possibly due to network traffic) and required that multi-factor authentication (MFA) be disabled or never implemented.

Okta advises its customers to scrutinize their logs for authentication attempts involving long usernames from July 23 onwards. The company has not disclosed any incidents of successful exploitation but strongly recommends implementing MFA at a minimum. 

Additionally, it encourages the use of phishing-resistant authenticators like Okta Verify FastPass and enforces phishing resistance for all applications.

Security engineer Yan Zhu from Brave noted that the bcrypt algorithm's treatment of lengthy inputs could result in any password being accepted if paired with a sufficiently long username. She suggests mitigating this risk by hashing inputs with SHA-256 before bcrypt.

It’s worth noting that, concerning the Snowflake breach, cybersecurity firm Hudson Rock reported that a threat actor used the stolen credentials of a Snowflake employee to bypass Okta.

UNC3944 used Okta abuse techniques to go beyond on-premises infrastructure to Cloud and SaaS applications, exploiting applications with Okta single sign-on (SSO) and using the Okta web portal to see what application tiles were available.