Cybersecurity
Cyber landscape
cloud security
June 29, 2025

OneLogin, More Problems

Vulnerabilities in OneLogin’s AD connector allowed researchers to access sensitive customer data using only a free trial version of the service.

OneLogin, More Problems

Cybersecurity incidents are on the rise worldwide, and many organizations are struggling to keep up. Industry leader OneLogin, a trusted solution for identity management, had vulnerabilities that allowed users to access any account’s data just by using a free trial

But let’s go back a little…

The researchers who discovered the vulnerabilities signed up for a trial of the product. With the trial, they could set up a free tenant profile. They then proceeded to install the OneLogin AD Connect service, ConnectorService.exe, on a single Windows 11 workstation.

Using the AD connector, they discovered the API tokens used to authenticate to OneLogin’s API

Through a Broken Authorization vulnerability (API2:2023), they could access a private tenant JWT key

And a Broken Object Property Level Authorization Vulnerability (API3:2023) allowed them to get the user list.

The researchers were able to forge more JWT keys by decompiling the ConnectorService.exe .NET binary. With these keys and the user list, they could now authenticate themself as any user.

Shown below is the Attack Path the researchers took.

From a trial tenant to fully compromising a production customer tenant

In addition to this access, through a Security Misconfiguration (API8:2023), the researchers found exposed AWS keys linked to OneLogin. 

With these keys, they were able to access an S3 bucket owned and managed by OneLogin, and receive logs from other tenants in that bucket. These logs also contained further customer keys such as JWT and signing keys.

Overall, OneLogin was supposed to be a platform for identity and access management, but it failed at one of the most critical pillars of cybersecurity: Authorization. 

For the last decade, Authentication and Authorization have consistently competed for first place as the leading vulnerabilities that cause breaches. Many organizations make the mistake of focusing on one and not the other, or of trying to combine them both, but as we’ve discussed before, they are separate entities and better off apart.

Cybersecurity is a complex beast with many different aspects to secure. FireTail is here to help. If you want to learn more, schedule a demo or join our free tier, today.

Lina Romero

Viktor Markopoulos

Security Researcher

Related posts

OpenAI Used Globally for Attacks
June 20, 2025

OpenAI Used Globally for Attacks

It is no secret in 2025 that AI can be abused to launch attacks by threat actors. But the “how” and “why” of these use cases is continuing to change. A recent security report revealed many of the ways in which OpenAI’s ChatGPT could be exploited.

Read more
LLM04: Data & Model Poisoning
June 6, 2025

LLM04: Data & Model Poisoning

In this blog series, we’re breaking down the OWASP Top 10 risks for LLMs and explaining how each one manifests and can be mitigated. Today’s risk is #4 on the list: Data and Model Poisoning. Read on to learn more…

Read more
When AI Turns Against Us
June 4, 2025

When AI Turns Against Us

Computers going rogue used to be the stuff of science fiction. But in 2025, it is becoming real. Join us in this blog as we investigate some cases where Artificial Intelligence has behaved like it has a mind of its own…

Read more

This site uses cookies

By using this website, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Got it!