Okta Secure by Design Flaw

Heather Adkins @ The Official Google Blog

Okta Secure by Design Flaw - 4d

Read more: blog.google

Okta, a prominent identity and access management (IAM) provider, experienced a security setback that contradicted its “secure by design” pledge. A vulnerability was discovered in the AD/LDAP DelAuth solution, allowing attackers to bypass password requirements and log in under specific conditions. The flaw, introduced in a July 2024 update, stemmed from a security oversight in cache key generation using the Bcrypt algorithm. The vulnerability required a combination of factors, including a long username, the absence of multi-factor authentication (MFA), and specific authentication timing. Okta quickly fixed the vulnerability and deployed a patch, but the incident highlights the challenges of achieving 100% secure by design principles across complex software systems.

Original img attribution: https://www.csoonline.com/wp-content/uploads/2024/11/3599118-0-26898400-1730820368-shutterstock_1488607697.jpg?quality=50&strip=all&w=1024

References:

sec.okta.com - Okta is committed to building security into everything we do, and we are proud to be a part of CISA’s Secure by Design initiative. - 1d
Wie Hacker ML fu - With over 200 software vendors pledged to CISA’s “secure by design” principles and a number of them having already submitted their commitment progress reports, a few unfortunate goofs show that - 1d

Classification:

HashTags: Okta SecureByDesign Cybersecurity
Company: Okta
Feature: AD/LDAP DelAuth
Type: Bug
Severity: Medium

This site is an experimental news aggregator using feeds I personally follow. You can reach me using contacts documented at my website here (https://royans.net/) if you have feedback. You can also find FlagThis at Mastodon.