Okta Bug Allowed Log-Ins Without a Correct Password
Okta recommends you check your account access history going back three months, but only under certain circumstances.
Popular identity management (IDM) service Okta has revealed that it allowed users to log in without a correct password— but only in a very specific set of circumstances.
Okta said the vulnerability was in place since July 23 in a security advisory, over three months at the time of writing.
However, the passwordless login trick only works with usernames over 52 characters and in cases where there was a “stored cache key”—a saved digital record of a previously successful login.
Another caveat explained in a message sent to users was that the bug only worked if the organization using Okta didn’t have two-factor authentication enabled.
In addition, the vulnerability could only be exploited if Okta’s agent, which handles the authentication was down and could not be reached, or if there was unusually high traffic. It also only impacted Okta's AD/LDAP DelAuth products, and would not have impacted Okta Federal Cells.
Though that’s quite of lot of conditions, the news of bugs could impact organizations all over the world.