Okta: a security flaw revealed
Recently, an open ended issue was discovered in a security firm known as Okta where people were able to sign into an account without having to type the right password. This vulnerability was especially true with accounts which have username of 52 characters and above.
What measures and steps mean ‘being vulnerable’?
The company posted a security advisory indicating that password authentication was defeated if the system discovered any stored cache key coming from a prior authentication. This means that the account owner had to have a login history from that browser, meaning that their account records had to show that they had logged into the site on the date, at the time and from the geographical location given by that browser. It should, however, be noted that this vulnerablity did not impact organizations that employ multi-factor authentication.
Possible consequences
This is more so since a 52-character username is less secure than a password in that it can relatively be guessed easily. This is because it could just be their email address containing their full name and the domain of their organization’s website.
How is Okta reacting?
The company accepted the fact that the vulnerability was released as part of an ordinary update released on the 23rd of July 2024. Consequently, it only emerged with the problem on October 30, only to fix it. Okta now recommends their customers, who meet all the conditions of this vulnerability, look through the access log of the last several months.
Okta, which provides services that enable corporate clients to integrate authentication services into their applications, said it has yet to identify anyone who has been impacted by the particular ail. But it has committed to “communicate with customers faster” after the several user accounts were accessed by the Lapsus$ threat group.
