Okta Fixes Auth Bypass Bug After 3-Month Lull

Okta has addressed an authentication bypass bug that affects those with long usernames or employers with wordy domain names.

The security hole could have allowed cybercriminals to pass Okta AD/LDAP delegated authentication (DelAuth) using just a username. However, it could only be exploited if a series of conditions were met, one of those conditions being a username that had 52 characters or more.

Though unusual, some individuals opt to use their email addresses as their usernames, making the possibility of a 52-character username not entirely out of the question.

Other conditions that needed to be met were if the user previously authenticated, creating a cache of the authentication; and if the cache was used first, which could occur "if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic," according to the authentication company in its advisory of the flaw.

The vulnerability was discovered by Okta on Oct. 30, after lurking in the system for three months. While it has since been fixed, the company recommended that customers check their logs for any odd authentication attempts dating back to July 23.

Okta also recommended that customers implement multifactor authentication (MFA) at a minimum, as this was not applied as part of the exploitation preconditions.

It is unclear whether there were any in-the-wild exploitation attempts. Okta did not respond immediately to a request for comment from Dark Reading.