OneLogin AD Connector Vulnerabilities Exposes Authentication Credentials

A comprehensive security investigation has revealed critical vulnerabilities in OneLogin’s Active Directory (AD) Connector service that exposed authentication credentials and enabled attackers to impersonate legitimate users across enterprise environments.

The vulnerabilities, which affect OneLogin’s widely-used identity and access management platform, demonstrated how threat actors could leverage exposed credentials to generate valid JSON Web Tokens (JWT) and gain unauthorized access to customer systems.

The security flaws emerged through research conducted on OneLogin’s trial tenant system, which provides potential customers with access to review the platform’s features and functionality.

What began as routine security analysis quickly escalated when researchers discovered that OneLogin’s AD Connector service was inadvertently exposing sensitive authentication materials through its API endpoints.

The connector service, deployed as ConnectorService.exe on Windows domain controllers, was found to transmit unencrypted credentials through configuration API calls, creating a significant attack surface for malicious actors.

SpecterOps analysts identified multiple critical exposure points within the OneLogin infrastructure, including cleartext AWS credentials, API keys, and cryptographic signing keys essential for JWT token generation.

The research revealed that attackers could exploit these exposed credentials to craft legitimate authentication tokens, effectively bypassing OneLogin’s security controls and impersonating any user synchronized with the directory service.

This vulnerability chain demonstrated a complete compromise scenario where initial credential exposure could lead to widespread unauthorized access across an organization’s federated applications.

The impact of these vulnerabilities extends far beyond simple credential theft, as OneLogin serves as a centralized identity provider for numerous enterprise customers.

When compromised, these systems can provide attackers with broad access across an organization’s entire application ecosystem, including cloud services, on-premises applications, and third-party integrations.

The research highlighted how identity federation platforms have become high-value targets due to their central role in modern enterprise security architectures.

Technical Exploitation Mechanism

The vulnerability exploitation process centered on OneLogin’s configuration API endpoint located at https://api.onelogin.com/api/adc/v4/configuration, which returned sensitive configuration data when queried with proper directory tokens.

Researchers discovered that this endpoint exposed critical information including API keys, AWS AKIA user credentials in cleartext, and base64-encoded signing keys necessary for JWT token creation.

The exposed AWS credentials revealed a particularly concerning finding when researchers attempted to access the referenced S3 bucket onelogin-adc-logs-production and discovered it was unclaimed.

By registering this bucket on a personal AWS account, researchers began receiving production log files from an actual OneLogin customer, containing detailed LDAP properties for all synchronized users and valid directory tokens.

This represented a complete breach of customer data confidentiality and highlighted systemic issues in OneLogin’s infrastructure management.

The technical exploitation relied heavily on reverse engineering OneLogin’s .NET ConnectorService.exe binary to understand JWT token construction.

Using decompilation tools, researchers identified the required JWT fields including expiration time (exp), issuer (iss), audience (aud), and subject (sub) values.

A Python script was developed to generate valid JWT tokens using the exposed signing keys, demonstrating the practical exploit capability.

The authentication process involved posting these crafted tokens to OneLogin’s SSO consumer URL, effectively bypassing all authentication controls and granting access to federated applications as any impersonated user.

This vulnerability chain represents a critical failure in secure credential management and API design, where a single exposed endpoint could compromise an entire customer’s identity infrastructure.

The research underscores the importance of treating identity federation platforms as Tier 0 assets requiring the highest levels of security protection and monitoring.

Automate threat response with ANY.RUN’s TI Feeds—Enrich alerts and block malicious IPs across all endpoints -> Request full access