According to Foresight News, SlowMist's Chief Information Security Officer 23pds reported that Okta allowed any username exceeding 52 characters to bypass login.
Additionally, identity and access management software provider Okta announced that on October 30, an internal vulnerability was discovered while generating cache keys for AD/LDAP DelAuth. The Bcrypt algorithm was used to generate cache keys by hashing a combination string of userId, username, and password. Under specific conditions, this could allow users to authenticate by providing a stored cache key from a previously successful authentication. The prerequisite for this vulnerability was that the username must be equal to or exceed 52 characters each time a cache key was generated for the user. The affected products and versions were Okta AD/LDAP DelAuth up to July 23, 2024. This vulnerability was resolved in Okta's production environment on October 30, 2024.