The flaw is an obvious oversight of at least one of the seven commitments within CISA’s secure by design principles, which include enforcing multi factor authentication (MFA), reducing default passwords, reducing classes of vulnerability, applying security patches, vulnerability enumeration and disclosure, and evidence of intrusions.
Cache key generation isn’t secure by design
The vulnerability, which was introduced through a routine July 23, 2024 update, stems from Okta’s use of the Bcrypt algorithm to generate a cache key where it hashes a combined string of user id, username, and password.
In the case of usernames that were 52 characters long, or longer, the stored cache key from a previous successful login attempt allowed re-login, effectively bypassing the need for a password.
