low

Cognito User Group spoofing

Published Tue, Feb 15th, 2022
Platforms

Summary

Opsmorph discovered an improper access control vulnerability in authorization logic common in applications built on AWS. The vulnerability means a user with permission to create a new Cognito User Group could fool authorization checks into thinking that the user is in any other existing Cognito User Group in the same User Pool, referred to as user group spoofing. When API Gateway is secured with a Cognito User Pool Authorizer it concatenates group names from the identity token into a comma separated string, and as Cognito also permits commas in the group names, this was an ambiguous representation of the groups a user was in that provided an opportunity for injection type attack. AWS have since fixed the Cognito User Pool Authorizer so that it now escapes special characters when parsing the groups claim of the token.

Affected Services

Cognito, Amazon API Gateway

Remediation

None required

Tracked CVEs

No tracked CVEs

References

Disclosure Date
Tue, Feb 15th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Discovered by
opsmorph