Updated: 2024-11-06 19:27:53 Pacfic
Okta Secure by Design Flaw - 4d
Okta, a prominent identity and access management (IAM) provider, experienced a security setback that contradicted its “secure by design” pledge. A vulnerability was discovered in the AD/LDAP DelAuth solution, allowing attackers to bypass password requirements and log in under specific conditions. The flaw, introduced in a July 2024 update, stemmed from a security oversight in cache key generation using the Bcrypt algorithm. The vulnerability required a combination of factors, including a long username, the absence of multi-factor authentication (MFA), and specific authentication timing. Okta quickly fixed the vulnerability and deployed a patch, but the incident highlights the challenges of achieving 100% secure by design principles across complex software systems.
References:
- sec.okta.com - Okta is committed to building security into everything we do, and we are proud to be a part of CISA’s Secure by Design initiative. - 1d
- Wie Hacker ML fu - With over 200 software vendors pledged to CISA’s “secure by design” principles and a number of them having already submitted their commitment progress reports, a few unfortunate goofs show that - 1d
Classification:
- HashTags: Okta SecureByDesign Cybersecurity
- Company: Okta
- Feature: AD/LDAP DelAuth
- Type: Bug
- Severity: Medium