Pretty much all versions of bcrypt are vulnerable to second preimage attacks because they truncate the input to the first 72 bytes, meaning the hashes for messages longer than that will collide.
-
Pretty much all versions of bcrypt are vulnerable to second preimage attacks because they truncate the input to the first 72 bytes, meaning the hashes for messages longer than that will collide.
This resulted in a login bypass against Okta.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25299201/STK453_PRIVACY_B_CVirginia.jpg)
An Okta login bug bypassed checking passwords on some long usernames
Okta announced it fixed a bug that could let someone exploit usernames that are at least 52 characters long to log in with a username and any password.
The Verge (www.theverge.com)
-
Risotto Votedreplied to Tony Arcieri 🌹🦀 last edited by
@bascule the hashes will collide under what circumstances?
-
@risottobias @bascule As I read it, the hashes for any (long) username will collide with any others hashes for that same username even with different (wrong) passwords (as the message was getting truncated before the password in the message). I believe that means you could login as that user using any password - the password check would pass.
The advisory mentioned this also required hitting the (on prem?) cache instead of a live service, but I don't know what that is part of.
