Cognito User Group spoofing
Published Tue, Feb 15th, 2022
Platforms
Summary
Opsmorph discovered an improper access control vulnerability in authorization logic common in applications built on AWS. The vulnerability means a user with permission to create a new Cognito User Group could fool authorization checks into thinking that the user is in any other existing Cognito User Group in the same User Pool, referred to as user group spoofing. When API Gateway is secured with a Cognito User Pool Authorizer it concatenates group names from the identity token into a comma separated string, and as Cognito also permits commas in the group names, this was an ambiguous representation of the groups a user was in that provided an opportunity for injection type attack. AWS have since fixed the Cognito User Pool Authorizer so that it now escapes special characters when parsing the groups claim of the token.
Affected Services
Cognito, Amazon API Gateway
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/0xdabbad00
Entry Status
Finalized
Disclosure Date
Tue, Feb 15th, 2022
Exploitability Period
-
Known ITW Exploitation
-
Detection Methods
None
Piercing Index Rating
-
Discovered by
opsmorph
More vulnerabilities...
SuperGlue
Compromise of internal AWS Glue service to assume the glue role in any AWS account that used glue.