Issues with AWS Cognito configuration can expose applications to significant abuse, including privilege escalation attacks. The discovered vulnerability allows users to modify their attributes, potentially granting access to resources belonging to other entities in the system. Description of the vulnerability The tested application implements AWS Cognito as its authentication mechanism. However, a misconfiguration of this mechanism permits any user with an active account to modify their attributes within Cognito. This allows them to assume the identity of another merchant (business entity) in the system. Consequently, the attacker could perform actions on behalf of the compromised entity, such as creating business relationships.

Also, this issue affects both the web and mobile versions of the application due to their shared API.
Technical details The attack leverages AWS Cognito's authentication process and requires a network traffic analysis tool, such as Burp Suite, along with the AWS CLI toolkit.

1. Intercept Application Traffic: Configure the application to route its network traffic through a proxy server.

2. Log in to the Application

During the login process, intercept a request sent to AWS Cognito, which includes the Access Token.
Example request: 3. Retrieve User Attributes

Using the Access Token, the attacker can retrieve their own attributes in AWS Cognito with the following command: Example user attributes: 4. Modify Attributes:
The attacker modifies the custom:m_id attribute, which identifies the merchant associated with the account, using the following command: After relogging, the user gains access to resources belonging to the other merchant.
Recommendations To prevent exploitation, it is recommended to:

1. Restrict Attribute Modifications Disable the ability for users to modify sensitive attributes such as custom:m_id e.g. by using pre-token generation Lambda triggers to validate and restrict attribute changes.

2. Implement Backend Validation Ensure the backend verifies whether a user is authorized to modify specific attributes.

3. Conduct a Security Audit Regularly review AWS Cognito configuration as well as, both authenticated and unauthenticated user permissions to identify potential misconfigurations.



#Cybersecurity #WebSecurity #SessionFixation #PenTesting #SecureApplications