The flaw is an apparent oversight of at the least one of many seven commitments inside CISA’s safe by design rules, which embrace imposing multi issue authentication (MFA), decreasing default passwords, decreasing courses of vulnerability, making use of safety patches, vulnerability enumeration and disclosure, and proof of intrusions.
Cache key era isn’t safe by design
The vulnerability, which was launched by way of a routine July 23, 2024 replace, stems from Okta’s use of the Bcrypt algorithm to generate a cache key the place it hashes a mixed string of person id, username, and password.
Within the case of usernames that had been 52 characters lengthy, or longer, the saved cache key from a earlier profitable login try allowed re-login, successfully bypassing the necessity for a password.
