Summary
A vulnerability in AWS Cognito's password reset function allowed attackers to brute-force the six-digit reset code, potentially leading to account takeovers. Using concurrent HTTP requests, an attacker could make up to 1587 guesses instead of the documented limit of 20. The issue affected accounts without multi-factor authentication and was fixed by AWS on April 20, 2021.
Affected Services
Cognito
Remediation
Enable multi-factor authentication for AWS Cognito accounts. AWS customers can implement their own rate-limiting before sending requests to AWS Cognito.
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Stub (AI-Generated)
Disclosure Date
Mon, Mar 22nd, 2021
Exploitablity Period
Until 2021/04/20
Known ITW Exploitation
-
Detection Methods
Monitor for unusual patterns of password reset attempts on AWS Cognito accounts, particularly those involving a high number of failed attempts in a short period.
Piercing Index Rating
-
Discovered by
Tobias Ospelt, Pentagrid AG
