Original Post: Abusing OpenID Connect Claims to Take Over Accounts | by Neuvik Solutions | Aug, 2024
Rick Alfaro, a cybersecurity expert at Neuvik Solutions, shares insights from a web application assessment involving AWS Cognito. AWS Cognito helps developers integrate user management features like sign-up, sign-in, and access control into their applications. However, Alfaro discovered a significant vulnerability: improper implementation of Cognito’s case-sensitive attributes can allow attackers to take over user accounts by manipulating user-writeable attributes, such as email addresses.
During a test, by altering the email attribute to a capitalized version of another user’s email, an attacker could impersonate that user upon logging back in. This exploit highlights a crucial issue: many backends may not recognize the difference between different cases of email addresses, allowing account takeovers if the application’s backend uses a case-insensitive mapping for user accounts.
To mitigate such risks, Alfaro recommends enforcing multi-factor authentication and using immutable attributes to map user accounts. This vulnerability is critical and could potentially allow privilege escalation, making it essential for developers using Cognito to safeguard against such implementations. Notably, this issue is already included in well-known AWS exploitation frameworks like Rhino Security’s Pacu, signifying its importance and relevance.
Go here to read the Original Post