Okta has revealed a security vulnerability that potentially left some user accounts accessible without a password under specific circumstances. In a recent advisory to customers, the authentication provider explained that this flaw allowed users to bypass password verification if their account username had 52 or more characters.
To exploit this vulnerability, the account also needed to have a "stored cache key" from a prior successful login on the same browser, suggesting that only those who had logged in previously from that browser were at risk. Organizations using multi-factor authentication (MFA) were unaffected by this flaw, Okta said, as the vulnerability did not bypass MFA protections.
The issue was introduced on 23 July 2024, as part of a routine update and remained undetected until 30 October, when Okta identified and resolved the problem. The company has since advised affected customers to review their access logs from the past several months to identify any potential unauthorised access.
Okta did not disclose if there had been any known breaches directly linked to the flaw, but the vulnerability could be particularly concerning given the relative ease with which a long username, often resembling an email address, could be guessed compared to a secure password.
This incident comes at a time when Okta’s security response practices have faced scrutiny, particularly after the Lapsus$ hacking group compromised a couple of user accounts last year. In response, Okta has pledged to enhance its communication efforts with customers regarding security issues. Known for its role in streamlining access across multiple applications, Okta’s software is widely used by companies to offer a single sign-on experience, reducing the need for multiple logins across different apps.
