Ddos 
Image: SpecterOps
A recent investigation by SpecterOps has uncovered a chain of critical vulnerabilities in OneLogin’s Active Directory (AD) Connector service that enabled attackers to impersonate users across different organizations — with nothing more than leaked credentials and an unclaimed S3 bucket.
“OneLogin was found to have security vulnerabilities in its AD Connector service that exposed authentication credentials and enabled account impersonation,” the report states.
OneLogin, a leading identity and access management (IAM) provider, integrates tightly with enterprise Active Directory systems. However, researchers discovered that its AD Connector component, particularly ConnectorService.exe, exposed highly sensitive information during configuration — including API keys, directory tokens, AWS credentials, and even JWT signing keys.
Using disassembly tools like dotPeek and a controlled trial tenant, researchers pulled credentials directly from the local registry and the https://api.onelogin.com/api/adc/v4/configuration endpoint. This included an API key, directory token, and a base64-encoded JWT signing key — all of which could be used to forge legitimate tokens.
“The signing key… can potentially craft our own matching JWT tokens,” the author explains. “Good thing ConnectorService.exe is a .NET binary. We can disassemble it… and identify exactly how it is crafting JWT tokens.”
A supporting script demonstrates how an attacker could construct valid tokens for arbitrary users, effectively bypassing all authentication mechanisms.
Perhaps more concerning was how the team stumbled upon real customer data. Leaked AWS credentials found in the OneLogin AD Connector config allowed them to interact with an S3 bucket referenced by the OneLogin logging system — s3:\\onelogin-adc-logs-production. Surprisingly, this bucket didn’t exist yet.
“I quickly claimed it on a personal AWS account. I then opened the bucket permissions to allow the adc-logs-put-production user write access,” the researcher wrote.
The results were alarming. Within days, another OneLogin customer’s logs began streaming into the researcher’s bucket. These included:
- Full LDAP sync logs
- Directory tokens
- User details
- JWT signing key for the customer’s tenant
With this information, the researcher was able to impersonate any synced user from the affected tenant and access all SSO-integrated applications assigned to them.
This incident is a reminder that IAM platforms like OneLogin must be treated as Tier 0 assets — the crown jewels of the enterprise.
“These systems are high-value targets; if compromised, they can provide attackers with broad and potentially unrestricted access across your organization,” the report warns.
SpecterOps has coordinated disclosure with OneLogin, who has responded by introducing new encryption mechanisms to protect API data. However, as of publication, these mitigations remain unverified by independent security researchers.
Related Posts:
- LockBit Imposter: New Ransomware Leverages AWS for Attacks
- A Critical Vulnerability in json-web-token for Node.js
- CasaOS Vulnerability Could Allow Attackers to Take Control
- Thousands of Exposed Cloud Buckets Threaten Data Security
- Critical Dragonfly2 Flaw CVE-2023-27584: Hardcoded Key Threatens Admin Access
Donate