The flaw is an apparent oversight of no less than one of many seven commitments inside CISA’s safe by design ideas, which embrace imposing multi issue authentication (MFA), lowering default passwords, lowering lessons of vulnerability, making use of safety patches, vulnerability enumeration and disclosure, and proof of intrusions.
Cache key era isn’t safe by design
The vulnerability, which was launched by way of a routine July 23, 2024 replace, stems from Okta’s use of the Bcrypt algorithm to generate a cache key the place it hashes a mixed string of consumer id, username, and password.
Within the case of usernames that had been 52 characters lengthy, or longer, the saved cache key from a earlier profitable login try allowed re-login, successfully bypassing the necessity for a password.
