Okta’s Weird Vulnerability

So tell my why my employer switched to Okta in June?

"Finally fixed it" is a bit overcooked. Low/no known exploitation, most of the vulnerable accounts were likely service accounts and had to have been auth'd via Okta previously, and MFA completely defeats this attack. Embarrassing, but not terrible.

Okta is garbage. Companies using it are not smart.

For people wondering about this bug: This was probably a very common class of bug called a buffer overrun. A large number of security flaws are caused by buffer overrun attacks.

The code probably set aside 50 or 51 characters to store the username ("the buffer"). If you typed a longer username, the extra characters were stored into the memory locations following the buffer. This causes whatever program variables that are stored at those memory locations to take on unexpected values. For example, it might set a flag saying the password has been verified.

The Android version named Marshmello had a very similar bug. When the phone asked for your PIN to unlock it, if you typed a few hundred characters (or over a thousand, I forget) the phone would unlock.

Yes, this type of bug could be fixed merely by checking that what the user typed fits within the buffer. But traditionally, programmers skipped such checks in the past because "nobody would ever type a string that long".

yea

Buffer overflow attack? 😂

Very Linux

Funny thing was only okta knows that and others didn't figure it out. Et me ask how will take 52 character username in firstplace

I nearly crapped a brick when i saw it was okta, my employer uses it🤣

My university makes us use this every single time, and to think it was this vulnerable 😅

I’ve gotten used to seeing him without hair, it’s kinda weird when I get an older video in my feed lol.

That explains why my work got rid of okta lol

Especially since an email is a common username when logging in via Okta, easy to pass the 52 char len. :/

I wonder if it was a floating point error where the username took up the password section also

in our company ordering app you can make a order if your email is over 25 characters... except it gets stuff in bit hell until someone from our sales team edits the email to be correct... also if you place the period " . " as a work number or instead of any other information it will also stop it from going through... a single space or completely empty field is fine but a period is too much... its a bit old program...

It’s also a great illustration as to why outsourcing security is becoming so popular. It’s someone else’s fault when something goes wrong

Making me laugh, my company uses okta. P good. Had no idea this was an issue

I've heard of weirder. Minecraft had a bug so powerful people could execute server owner level commands on multi-player servers for a while. Almost all servers had the same security company and in order to access it the admin had to open a box only they could access and open another box within that box. Normally anyone that opens the box would not see anything but one player figured out that by placing one chest in an anvil and naming it admin and then naming another server setup and placing the server setup chest within the admin chest once you clicked on it you could open the admin menu and execute code on the server and any linked computers. Yes full on remote code execution both in and out of Minecraft. Luckily the guys that found it only used it to troll in game. They managed to execute a code that made them admins so they could do anything they want and mess with that for a bit then got bored and executed a code that gave everyone on the server admin status on the server. They just watched the chaos happen after that.

I APPLIED AT THIS COMPANY LOL

“You got Active Directory?”
“Nah, we got that Disabled Understudy”

My theory is they used something like "bcrypt(username || password)" because bcrypt and others like it have a limit to them that could cause these to be overlooked or excluded.

ngl bro i feel auth aint that difficult idk why people tweaking

For Bitcoin wallets, it's the other way around. You just need a 12-word password, username is not needed.

that is absolutely crazy.. what the heck?

Scott Manleys son, 4 sure.

My university used that. They switched to Microsoft this semester

New Zealand Mentioned RAAAAAAAA WHAT THE FUCK IS A FAIR PRICE FOR FOOD

Me when my college uses Okta login

Ayyeee, that looks like the place with the really long name in my country 👉😁👉

I'm making that guess because of the I'm pretty sure we only have M, N, K, W, H, N, P, R, A, E, I, O, U, but also because I don't know of many, if any other languages that use NG together like that.
(Yes we only use the G when it's connected to an N, makes the same sound as when you say "Gnat".
The language existed before The British put it on paper, don't judge me lol.)

Did I get it right? Is that New Zealand? 😃
Do I get a prize? 😂
Jk the prize was the Dad level jokes I made along the way 🌈

Thia is kinda a big brain move if intentional, no one would expect it.. But it's a ticking time explosive

*YT now really heavily moderate the comment...

Genuinely one of the stupidest things I’ve ever heard, whose idea was that????

Fun fact, ADT Security uses OKTA for all of its employees and had a massive data breach at the same time. So much for a home security company 😂😂

lol I work for one of the top three universities in my company and we use Okta for all our emails, data servers, confidential research participants data etc
Ugh 😒

Anyone still counting Okta vulnerabilities at this point?

The fact that my uni uses okta-

The "they told us even though we're not sure it made a difference" is a sort of integrity to hope for

Good on Okta for telling everyone. Hopefully that means that if anyone was affected Okta did the right thing.

Yeah, I've never worked there but I've been on their payroll for years.

You know that someone with a long name complained that they had to start entering their password all of a sudden.

So that's why I couldn't finish my last POLS assignment

This is why the majority of new features need to be off by default when first being implemented...

I thought every website in the world just uses the auth0 method, which I myself find more strange than what you described.

Glad to know that my company uses Okta.

My company uses okay 😂

Freaking unreal.

Critical vulnerability: Gives root access if asked in a stern voice

The timing feels like they implemented something to deal with CrowdStrike and it backfired 😂

Well. Good thing i got hired on October 21st.

Full names with domain seems like a massice security risk anyway

My college got hacked because of it