Cognito User Group spoofing

Published Tue, Feb 15th, 2022


Opsmorph discovered an improper access control vulnerability in authorization logic common in applications built on AWS. The vulnerability means a user with permission to create a new Cognito User Group could fool authorization checks into thinking that the user is in any other existing Cognito User Group in the same User Pool, referred to as user group spoofing. When API Gateway is secured with a Cognito User Pool Authorizer it concatenates group names from the identity token into a comma separated string, and as Cognito also permits commas in the group names, this was an ambiguous representation of the groups a user was in that provided an opportunity for injection type attack. AWS have since fixed the Cognito User Pool Authorizer so that it now escapes special characters when parsing the groups claim of the token.

Affected Services

Cognito, Amazon API Gateway


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Tue, Feb 15th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by