AWS Cognito Misconfigurations
Written by Eldar Zavida on
AWS Cognito Misconfigurations
Written by Eldar Zavida on
Introduction
Amazon Cognito provides authentication, authorization, and a user management solution for systems such as web and mobile applications. Users can log in directly with a username and password or through a third-party application such as Facebook, Amazon, Google, or Apple using the OAuth protocol.
The two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for application users, whereas identity pools enable developers to grant users access to other AWS services.
Implementing weak and insecure configurations in Cognito can lead to sensitive information disclosure and even account takeover attacks in the worst-case scenarios. This article will review some of the common misconfigurations that can be found at the application security level.
Common Misconfigurations
Over Permissive AWS Temporary Credentials
When a user needs to access certain AWS services, developers can grant permissions to those services using temporary credentials, which include an access key id, secret key, and a session token. Granting those credentials with permissive access to multiple services unintentionally for the user could potentially lead to exposing sensitive information to unauthorized entities, such as classified files and directories located within the S3 environment.
It is possible to enumerate which permissions are associated with the credentials correspondingly using publicly accessible tools such as the enumerate-iam, which attempts to find all the API calls allowed by the IAM policy by brute forcing for known endpoints and strings.
Mitigation
When configuring AWS Cognito for identities, follow the principle of least privilege by granting each identity only the minimum necessary privileges.
Authentication Bypass due to Enabled Signup Action
Some applications do not offer an enabled user sign-up and only provide a dedicated login panel to authorized users. However, developers tend to forget to disable the API signup action, a function that is enabled by default and allows registering a new account associated with the target system’s client id (which can usually be found in the web application’s source code). As a result, bypassing the application’s business logic flow and obtaining unauthorized access to the system might be possible.
Mitigation
If the application does not offer an open sign-up by design, turn off the Cognito signup feature to reduce the attack surface and prevent the possibility of creating new accounts without approval, which can lead to unauthorized access.
Privilege Escalation using Writable User Attributes
Attributes are pieces of information that identify individual users, such as name, email address, and phone number. Each user pool has a set of default attributes along with customized attributes that can be created by developers. The newly created custom attribute is writable by default, and many developers forget to set it as read-only. This might allow an adversary to update the attribute values via the API and escalate his privileges as a result.
Mitigation
Ensure to disable writable permissions on custom attributes in AWS Cognito to prevent unauthorized changes.
Updating Email Attribute Before Verification
After successful authentication with Cognito, the user receives an access token that could be used for fetching and writing the user’s attributes. In some cases, the user can update the email attribute value, which is currently not verified. However, some applications do not completely check whether the updated email address is verified or not before the authentication is made and allow to log in using an unverified email address which, as a result, could lead to an account takeover on the targeted user.
Mitigation
Enabling “Keep original attribute value active” in AWS Cognito retains the previous value of an attribute when a user updates their profile, preventing unintentional or malicious attempts.