A critical security vulnerability in OneLogin’s Active Directory (AD) Connector service has exposed enterprise authentication systems to significant risk
The flaw, now reportedly fixed, uncovered by SpecterOps allowed malicious actors to obtain authentication credentials, impersonate users, and access sensitive applications through OneLogin’s platform.
OneLogin, a prominent identity and access management (IAM) solution, integrates with popular directory services like Active Directory and AWS to provide single sign-on (SSO) and multi-factor authentication for organizations.
The service’s AD Connector is widely used to synchronize on-premises user directories with cloud platforms.
OneLogin AD Connector Vulnerabilities
Researchers found that attackers could exploit OneLogin’s AD Connector to access crucial credentials and cryptographic keys, enabling them to forge valid JSON Web Tokens (JWTs).
These tokens could be used to impersonate any user in a target domain and gain unauthorized access to enterprise applications.
The initial breach vector involved AWS credentials hard-coded in logs and inadvertently leaked S3 bucket names referenced by the OneLogin API.
By registering an unclaimed S3 bucket, researchers began receiving logs from a live OneLogin customer including API keys and directory tokens. With these, a determined attacker could enumerate users, retrieve signing keys, and craft JWTs that bypassed authentication safeguards, reads the advisory.
The vulnerability raised the possibility of large-scale account takeovers. In at least one case, researchers received logs containing detailed user properties and directory tokens from another organization, demonstrating cross-tenant exposure.
By reverse engineering the .NET-based ConnectorService.exe, researchers revealed the precise JWT structure used by OneLogin.
With the signing key and user identifiers in hand, they could build tokens granting access to any application assigned to a user compromising everything from email accounts to cloud infrastructure.
Details of the flaw were disclosed to OneLogin in December 2024. The company acknowledged the report promptly but was slow to communicate resolution progress.
As of June 2025, OneLogin says it has remediated the vulnerability, introducing encryption measures for API communications and securing cloud information flows.
Experts stress that IAM platforms like OneLogin should be treated as Tier 0 assets and protected with strict network segmentation and access controls.
Organizations should audit application logs, rotate exposed credentials, and ensure that only authorized hosts communicate with AD Connector services.
While OneLogin has announced fixes, independent validation is pending. Customers are urged to monitor official release notes for further security updates.
The incident underscores the critical importance of rigorous security in identity platforms. As enterprises increasingly rely on IAM for access control, even a single vulnerability can have sweeping consequences across the digital enterprise landscape.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates
Source link
