OneLogin SecureNotes Breach Exposed Data in Cleartext

OneLogin confirmed this week an attacker took advantage of a bug in its system and was able to view sensitive notes, thought to be secure, posted by users.

Single sign-on company OneLogin began notifying customers this week that an attacker was able to take advantage of a bug in its system and view sensitive notes posted by users, thought to be secure.

The company, whose authentication technology secures cloud-based applications, confirmed the incident Tuesday in a blog post.

The compromised feature, Secure Notes, enables customers to store information, usually with “multiple levels of AES-256.” OneLogin encourages users to use the service to securely store information such as license keys and firewall passwords. A bug in a system the company uses for log storage and analytics apparently undermined that security.

According to OneLogin’s Chief Information Security Officer Alvaro Hoyos, the bug caused all notes – for at least one month this summer – to be stored in cleartext. Specifically, the bug caused notes entered from July 25 to Aug. 25, to be visible in OneLogin’s logging system before they were encrypted.

To make matters worse, in an unrelated incident, an attacker was able to compromise the password of a OneLogin employee and gain access to the logging system where the notes were being saved.

After the company patched the code, locked out end users, and added filters to prevent the ability to search for old notes, it began to consider the impact of the incident; that’s when OneLogin’s security team discovered the compromised account.

“As part of the investigation we found suspicious queries from a specific username,” Hoyos told Threatpost Wednesday, “when we went back in time, we saw a pattern of queries, some coming from potentially malicious IP addresses, some even coming from a different time zone.”

Hoyos is warning OneLogin users that the attacker may have had access as early as July 2, meaning if a customer tried saving a note from June 2 to July 24, it may have been read too. The company rotates its logs every 30 days and can say definitively the attacker was able to view notes from July 25 to August 25. In reviewing its logs from the month prior, the team also observed logins from the attacker during June, however.

The company didn’t specify the exact number of users affected but stressed the bug only compromised a small subset of its 12 million users.

The company said it fixed the bug the same day it was discovered, and that it reset passwords in external systems that don’t support SAML, or Security Assertion Markup Language, a XML-based standard for web browser single sign-on. Going forward access, to the company’s log management system will only be able to be accessed via SAML-based authentication and through a limited set of IP addresses, according to Hoyos.

“We use SAML regularly to authenticate this app, but when looking around to see what method the bad actor used to get in, they simply used form-based authentication,” Hoyos said, “That’s one area where we dropped the ball, if you will.”

The company began notifying affected customers via email on Monday, and Hoyos claims OneLogin will keep them posted as its investigation continues.

Suggested articles