Summary
Opsmorph discovered an improper access control vulnerability in authorization logic common in applications built on AWS. The vulnerability means a user
with permission to create a new Cognito User Group could fool authorization checks into thinking that the user is in any other existing Cognito User
Group in the same User Pool, referred to as user group spoofing.
When API Gateway is secured with a Cognito User Pool Authorizer it concatenates group names from the identity token into a comma separated string,
and as Cognito also permits commas in the group names, this was an ambiguous representation of the groups a user was in that provided an opportunity
for injection type attack. AWS have since fixed the Cognito User Pool Authorizer so that it now escapes special characters when parsing the groups claim
of the token.
Affected Services
Cognito, Amazon API Gateway
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/0xdabbad00
Disclosure Date
Tue, Feb 15th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
opsmorph
