Article Details

Why the long name? Okta discloses auth bypass bug affecting 52-character usernames. Mondays are for checking months of logs, apparently, if MFA's not enabled. In potentially bad news for those with long names and/or employers with verbose domain names, Okta spotted a security hole that could have allowed crims to pass Okta AD/LDAP Delegated Authentication (DelAuth) using only a username. But why is that bad news for those with long usernames? Well, it's because the bug could be exploited only when a series of conditions were met, one of which being a username that was 52 characters or longer. That condition is arguably the most unusual out of them all, although not entirely out of the realm of possibility if a user's work email address is used as a username, for example. The exploit would also only work when the targeted account already had a successful login attempt stored, including the associated cache key generated by the bcrypt algorithm. Okta said that key would comprise a hashed string of a user's userId, username, and password. That cache would also have to be used first, which Okta said in its advisory "can occur if the AD/LDAP agent was down or cannot be reached, for example, due to high network traffic." And yet another caveat was that multi-factor authentication (MFA) would also have to be disabled/never implemented for the bug to be active. Okta discovered the issue on October 30 and fixed it the same day, although by that point it had been lingering for just over three months.  The security company advised customers to check their logs for any authentication attempts using 52 or more-character usernames all the way back to July 23. It didn't mention whether or not it was aware of any successful exploitation attempts. "Furthermore, Okta recommends all Okta customers implement MFA at a minimum," the company added. "We also strongly encourage customers to enroll users in phishing-resistant authenticators (such as Okta Verify FastPass, FIDO2 WebAuthn, or PIV/CAC Smart Cards) and to enforce phishing resistance for access to all applications." Weighing in, Brave security engineer Yan Zhu said that due to the bcrypt algorithm ignoring input after a specific length, if bcrypt is used to hash a username and password pair, then a sufficiently long username will mean any password is accepted. Passing the input through the SHA-256 algorithm can mitigate this, she said.