Skip to main content

From an AWS Cognito Misconfiguration to Full Account Takeover

Illustration of From an AWS Cognito Misconfiguration to Full Account Takeover
Securitum

Issues with AWS Cognito configuration can expose applications to significant abuse, including privilege escalation attacks. The discovered vulnerability allows users to modify their attributes, potentially granting access to resources belonging to other entities in the system.

Description of the vulnerability

The tested application implements AWS Cognito as its authentication mechanism. However, a misconfiguration of this mechanism permits any user with an active account to modify their attributes within Cognito. This allows them to assume the identity of another merchant (business entity) in the system. Consequently, the attacker could perform actions on behalf of the compromised entity, such as creating business relationships.

Also, this issue affects both the web and mobile versions of the application due to their shared API.

Technical details

The attack leverages AWS Cognito’s authentication process and requires a network traffic analysis tool, such as Burp Suite, along with the AWS CLI toolkit.

  1. Intercept Application Traffic: Configure the application to route its network traffic through a proxy server.

  2. Log in to the Application

    During the login process, intercept a request sent to AWS Cognito, which includes the Access Token.

    Example request:

    Login request

  3. Retrieve User Attributes

    Using the Access Token, the attacker can retrieve their own attributes in AWS Cognito with the following command:

    Retrieve attributes

    Example user attributes:

    User attributes

  4. Modify Attributes:

    The attacker modifies the custom:m_id attribute, which identifies the merchant associated with the account, using the following command:

    Modify attributes

    After relogging, the user gains access to resources belonging to the other merchant.

Recommendations

To prevent exploitation, it is recommended to:

  1. Restrict Attribute Modifications Disable the ability for users to modify sensitive attributes such as custom:m_id e.g. by using pre-token generation Lambda triggers to validate and restrict attribute changes.

  2. Implement Backend Validation Ensure the backend verifies whether a user is authorized to modify specific attributes.

  3. Conduct a Security Audit Regularly review AWS Cognito configuration as well as, both authenticated and unauthenticated user permissions to identify potential misconfigurations.

Other Insights

Illustration of Session Fixation: A „Hidden Threat” to Web Application Security

Session Fixation: A „Hidden Threat” to Web Application Security

Marcin Zięba

Session fixation is a security vulnerability that occurs when an attacker forces a legitimate user to utilize a predetermined session identifier (session ID). This allows the attacker to hijack the session and impersonate the victim once they authenticate with the web application. The vulnerability arises when an application fails to properly regenerate a new session ID upon user authentication, thereby continuing to use the preexisting session ID provided by the attacker. Common attack vectors include injecting the session ID through URL parameters, cookies, or hidden form fields.

READ article
Illustration of Exploiting the Password Reset Vulnerability: A Real-World Case Study.

Exploiting the Password Reset Vulnerability: A Real-World Case Study.

Securitum

Modern web applications need to prioritize user security. However, even well-designed systems can have hidden flaws that make them vulnerable to attacks. During a recent security test, a serious issue was found in the password reset feature of an application. This vulnerability made it possible for attackers to gain access to any user account, including the super administrators. Here's what went wrong and why it's such a big problem.

READ article
A professional cybersecurity consultant ready to assist with your inquiry.

Any questions?

Happy to get a call or email
and help!

Contact Us