Amazon Cognito Misconfiguraitons

Amazon Cognito is a powerful service for managing user authentication and authorization in web and mobile applications. However, misconfigurations in Cognito can open the door to serious security risks, such as account takeovers, privilege escalations, and unauthorized access to AWS resources. In this blog post, we’ll explore common Cognito misconfigurations, provide a detailed table of test cases to identify vulnerabilities, and share practical tips to secure your Cognito setup. Whether you’re a developer, security professional, or DevOps engineer, this guide will help you strengthen your AWS environment.

Why Amazon Cognito Security Matters

Amazon Cognito simplifies user management with its user pools (for sign-up and sign-in) and identity pools (for AWS resource access). However, its flexibility can lead to misconfigurations that attackers exploit. Recent research, including case studies like the Flickr account takeover, highlights how seemingly minor oversights—such as allowing unverified email updates or exposing sensitive IDs—can lead to catastrophic breaches. By proactively testing for these issues, you can protect your application and users from such risks.

Common UserPools attacks

Detect Cognito UserPools usage: Extract UserPoolID or ClientId from the JS/HTML or Signup/Login
Zero Click Account Takeover via Updating Email Before Verification: Updating email attributes to already registere email addresses and before verification try to login with the new email address Leads to ATO Reference: aws cognito-idp admin-update-user-attributes --user-pool-id <your-user-pool-id> --username <username> --user-attributes Name="email",Value="Victim@gmail.com"
Privilege Escalation via Updating User Attributes: Use AWS CLI to update custom attributes and check if it results in elevated privileges aws cognito-idp admin-update-user-attributes --user-pool-id <your-user-pool-id> --username <username> --user-attributes Name="custom:role",Value="admin"Reference: Reference:
Authentication Bypass through Self Signup API: Verify if the Signup API is enabled and attempt a direct sign-up using AWS - Self Registration aws cognito-idp sign-up --client-id <your-client-id> --username <test-user> --password <test-password> - Confirm the email address aws cognito-idp confirm-sign-up — client-id — username — confirmation-code — regionReference: Refrences:
Unverified Email/Phone Attributes:

If application doesn't require email verification this may lead to duplicate registerationa, Account Overwrite and ATO attacks

MFA Enforcement Bypass Scenarios:

Attempt to authenticate without providing MFA after password entry.
Test if MFA can be disabled by a standard user (User unintentionally has the Wright permission).

Password Reset and Account Recovery: Test for race conditions or token replay vulnerabilities in the reset process

Misconfigured Attributes read and write permissions: In some websites users can't update their info like email in the UI so attacker can change this info via the API if the attribute write permission is enabled
Token Revocation Issues: Cognioto Succesfully revoked the code but the application's api didn't

Token Intigriti Issues:

The session is indeed checked to see if it lines up with the correct username.
The IdToken is checked to see if it’s valid (i.e., not expired).
However, there wasn’t any code linking that IdToken to the specific session or user. That’s because the dev who wrote the custom challenge logic didn’t do that last piece of validation!

Test Third-Party Identity Providers (IdP) and Federation

Test for Arbitrary Identity Token Acceptance: If Cognito accepts ID tokens from any IdP without validation, it may allow attackers to impersonate users

Forge a valid-looking JWT token (for OIDC) with your own IdP (e.g., a local Keycloak or Auth0 instance).
Set the iss (issuer) to match the target’s expected IdP.
Replace the aud with the expected Cognito client ID.

curl -X POST https://<domain>.auth.<region>.amazoncognito.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code=...&redirect_uri=..." \
  -H "Authorization: Bearer <your_forged_token>"

IDP Role Injection via Claims Mapping: If role/permission claims from IdP are mapped to AWS roles or Cognito groups without validation, an attacker could elevate privileges

Forge or modify an identity assertion (SAML or JWT) that includes elevated claims like:

jsonCopyEdit"custom:role": "admin"

Use a test IdP you control to submit these claims.
Watch if Cognito accepts the claim and assigns privileges (e.g., in app or AWS permissions).

Scope/Claims Overreach: If the application doesn’t restrict OIDC/SAML scopes/claims, attackers might access unintended user data.

Try requesting excessive scopes:

httpCopyEditscope=openid profile email aws.cognito.signin.user.admin

Look at returned claims in id_token or access_token

Common IdentityPools attacks

Dorks

IdentityPoolId 
Aws_cognito_identity_pool_id 
Identity Pool Id 
AWSCognitoIdentityService 
clientId 
client_id 
aws_user_pools_web_client_id

How to Use These Test Cases

To execute these test cases, you’ll need tools like the AWS CLI, Burp Suite for intercepting requests, or enumeration tools like enumerate-iam and ScoutSuite. Here’s a quick guide to get started:

Set Up AWS CLI: Configure AWS CLI with temporary credentials or a test account to interact with Cognito APIs safely.
Inspect Client-Side Code: Use browser developer tools or Burp Suite to check for exposed IDs like App Client ID or Identity Pool ID in JavaScript files or API responses.
Test Attribute Updates: Use AWS CLI commands like admin-update-user-attributes to attempt modifying email or custom attributes, checking for verification bypasses or privilege escalations.
Verify Permissions: Review your Cognito user pool settings in the AWS Management Console, ensuring that self-signup is disabled (if not needed) and attribute permissions are restricted.

For example, to test for the "Zero Click Account Takeover" vulnerability (inspired by the Flickr case), you can try updating a user’s email attribute with a case-sensitive variation (e.g., Victim@gmail.com vs. victim@gmail.com) using the following AWS CLI command:

aws cognito-idp admin-update-user-attributes --user-pool-id <your-user-pool-id> --username <username> --user-attributes Name="email",Value="Victim@gmail.com"

If the update succeeds without verification, your setup may be vulnerable.

Refrences

For further reading, check out these excellent resources:

Stay secure, and happy testing!

PreviousS3 Buckets Misconfigurations NextProgramming

Last updated 19 hours ago

Was this helpful?

Amazon Cognito is a powerful service for managing user authentication and authorization in web and mobile applications. However, misconfigurations in Cognito can open the door to serious security risks, such as account takeovers, privilege escalations, and unauthorized access to AWS resources. In this blog post, we’ll explore common Cognito misconfigurations, provide a detailed table of test cases to identify vulnerabilities, and share practical tips to secure your Cognito setup. Whether you’re a developer, security professional, or DevOps engineer, this guide will help you strengthen your AWS environment.

Why Amazon Cognito Security Matters

Amazon Cognito simplifies user management with its user pools (for sign-up and sign-in) and identity pools (for AWS resource access). However, its flexibility can lead to misconfigurations that attackers exploit. Recent research, including case studies like the Flickr account takeover, highlights how seemingly minor oversights—such as allowing unverified email updates or exposing sensitive IDs—can lead to catastrophic breaches. By proactively testing for these issues, you can protect your application and users from such risks.

Common UserPools attacks

Detect Cognito UserPools usage: Extract UserPoolID or ClientId from the JS/HTML or Signup/Login
Zero Click Account Takeover via Updating Email Before Verification: Updating email attributes to already registere email addresses and before verification try to login with the new email address Leads to ATO Reference: aws cognito-idp admin-update-user-attributes --user-pool-id <your-user-pool-id> --username <username> --user-attributes Name="email",Value="Victim@gmail.com"
Privilege Escalation via Updating User Attributes: Use AWS CLI to update custom attributes and check if it results in elevated privileges aws cognito-idp admin-update-user-attributes --user-pool-id <your-user-pool-id> --username <username> --user-attributes Name="custom:role",Value="admin"Reference: Reference:
Authentication Bypass through Self Signup API: Verify if the Signup API is enabled and attempt a direct sign-up using AWS - Self Registration aws cognito-idp sign-up --client-id <your-client-id> --username <test-user> --password <test-password> - Confirm the email address aws cognito-idp confirm-sign-up — client-id — username — confirmation-code — regionReference: Refrences:
Unverified Email/Phone Attributes:

If application doesn't require email verification this may lead to duplicate registerationa, Account Overwrite and ATO attacks
If an email address is configured as an alias and a new user is created with a duplicate email, the alias can be transferred to the newer user, un-verifying the former user's email

Insecure Callback URLs: Insecure callback URL configurations are a common misconfiguration in OAuth 2.0 and OIDC flows used by Cognito. This includes using HTTP instead of HTTPS (except for http://localhost for testing), configuring overly broad wildcard URLs (e.g., * or *.example.com), or failing to strictly validate the redirect URI in authentication requests
MFA Enforcement Bypass Scenarios:

Attempt to authenticate without providing MFA after password entry.
Test if MFA can be disabled by a standard user (User unintentionally has the Wright permission).

Password Reset and Account Recovery: Test for race conditions or token replay vulnerabilities in the reset process

Misconfigured Attributes read and write permissions: In some websites users can't update their info like email in the UI so attacker can change this info via the API if the attribute write permission is enabled
Token Revocation Issues: Cognioto Succesfully revoked the code but the application's api didn't

Token Intigriti Issues:

The session is indeed checked to see if it lines up with the correct username.
The IdToken is checked to see if it’s valid (i.e., not expired).
However, there wasn’t any code linking that IdToken to the specific session or user. That’s because the dev who wrote the custom challenge logic didn’t do that last piece of validation!

Test Third-Party Identity Providers (IdP) and Federation

Test for Arbitrary Identity Token Acceptance: If Cognito accepts ID tokens from any IdP without validation, it may allow attackers to impersonate users

Forge a valid-looking JWT token (for OIDC) with your own IdP (e.g., a local Keycloak or Auth0 instance).
Set the iss (issuer) to match the target’s expected IdP.
Replace the aud with the expected Cognito client ID.

curl -X POST https://<domain>.auth.<region>.amazoncognito.com/oauth2/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&code=...&redirect_uri=..." \
  -H "Authorization: Bearer <your_forged_token>"

IDP Role Injection via Claims Mapping: If role/permission claims from IdP are mapped to AWS roles or Cognito groups without validation, an attacker could elevate privileges

Forge or modify an identity assertion (SAML or JWT) that includes elevated claims like:

jsonCopyEdit"custom:role": "admin"

Use a test IdP you control to submit these claims.
Watch if Cognito accepts the claim and assigns privileges (e.g., in app or AWS permissions).

Scope/Claims Overreach: If the application doesn’t restrict OIDC/SAML scopes/claims, attackers might access unintended user data.

Try requesting excessive scopes:

httpCopyEditscope=openid profile email aws.cognito.signin.user.admin

Look at returned claims in id_token or access_token

Common IdentityPools attacks

Dorks

IdentityPoolId 
Aws_cognito_identity_pool_id 
Identity Pool Id 
AWSCognitoIdentityService 
clientId 
client_id 
aws_user_pools_web_client_id

Leakage of Secrets like Identity Pool ID in JS Files: Inspect client-side code or API responses for exposed Identity Pool IDs, then attempt to generate temporary AWS credentials then use tool to enumerate permissions associated with these credentials like . aws cognito-identity get-id --identity-pool-id '[IdentityPoolId]' --logins "cognito-idp.{region}.amazonaws.com/{UserPoolId}={idToken}" aws cognito-identity get-credentials-for-identity --identity-id '{IdentityId}' --logins "cognito-idp.{region}.amazonaws.com/{UserPoolId}={idToken}" Reference: Reference: Reference: Reference:

How to Use These Test Cases

To execute these test cases, you’ll need tools like the AWS CLI, Burp Suite for intercepting requests, or enumeration tools like enumerate-iam and ScoutSuite. Here’s a quick guide to get started:

Set Up AWS CLI: Configure AWS CLI with temporary credentials or a test account to interact with Cognito APIs safely.
Inspect Client-Side Code: Use browser developer tools or Burp Suite to check for exposed IDs like App Client ID or Identity Pool ID in JavaScript files or API responses.
Test Attribute Updates: Use AWS CLI commands like admin-update-user-attributes to attempt modifying email or custom attributes, checking for verification bypasses or privilege escalations.
Verify Permissions: Review your Cognito user pool settings in the AWS Management Console, ensuring that self-signup is disabled (if not needed) and attribute permissions are restricted.

For example, to test for the "Zero Click Account Takeover" vulnerability (inspired by the Flickr case), you can try updating a user’s email attribute with a case-sensitive variation (e.g., Victim@gmail.com vs. victim@gmail.com) using the following AWS CLI command:

aws cognito-idp admin-update-user-attributes --user-pool-id <your-user-pool-id> --username <username> --user-attributes Name="email",Value="Victim@gmail.com"

If the update succeeds without verification, your setup may be vulnerable.

Refrences

For further reading, check out these excellent resources:

Stay secure, and happy testing!

If an email address is configured as an alias and a new user is created with a duplicate email, the alias can be transferred to the newer user, un-verifying the former user's email

Insecure Callback URLs: Insecure callback URL configurations are a common misconfiguration in OAuth 2.0 and OIDC flows used by Cognito. This includes using HTTP instead of HTTPS (except for http://localhost for testing), configuring overly broad wildcard URLs (e.g., * or *.example.com), or failing to strictly validate the redirect URI in authentication requests

Leakage of Secrets like Identity Pool ID in JS Files: Inspect client-side code or API responses for exposed Identity Pool IDs, then attempt to generate temporary AWS credentials then use tool to enumerate permissions associated with these credentials like . aws cognito-identity get-id --identity-pool-id '[IdentityPoolId]' --logins "cognito-idp.{region}.amazonaws.com/{UserPoolId}={idToken}" aws cognito-identity get-credentials-for-identity --identity-id '{IdentityId}' --logins "cognito-idp.{region}.amazonaws.com/{UserPoolId}={idToken}" Reference: Reference: Reference: Reference: