Amplify-js: Cognito authenticateUser security hole

Created on 9 Jul 2018 · 17Comments · Source: aws-amplify/amplify-js

Do you want to request a feature or report a bug?

Bug (security hole). I think this is something that needs to be fixed in Cognito and not the SDK, but I figured I'd open this issue here just in case. I'm also going to post in the AWS Developer Forums when it lets me.

What is the current behavior?

As it was already mentioned in this forum discussion thread and in this issue comment, returning specific error messages on sign in failure exposes a security hole, allowing an attacker to enumerate users.

What is the expected behavior?

As per OWASP's recommendation:

[Cognito] should respond with a generic error message regardless of whether the user ID or password was incorrect.

A generic "Incorrect username or password." error message would be the best.

Which versions of Amplify, and which browser / OS are affected by this issue? Did this work in previous versions?

N/A

Thanks.

Auth Cognito Security Service Team

Source

olistic

👍18

Most helpful comment

For others arriving here from search engines, here is the documentation explaining how to prevent UserNotFoundException errors from Cognito:

Managing Error Response

Basically, go to your User Pool in Cognito, select App clients, click Show Details, and enable Prevent User Existence Errors:

augustoproiete on 25 Apr 2020

👍5 🚀1

All 17 comments

@olistic thanks for reporting. We will talk to Cognito team about this issue.

powerful23 on 10 Jul 2018

@yuntuowang what do you think?

powerful23 on 10 Jul 2018

I will call this out with Cognito team.

yuntuowang on 10 Jul 2018

👀2

@yuntuowang thanks.

powerful23 on 10 Jul 2018

Is there any update on this?

Benno007 on 29 Aug 2018

Hi,

There are numbers of concerns regarding this on github/aws forums (see https://forums.aws.amazon.com/message.jspa?messageID=749743#749743) so it will be good to have AWS standing on this -

fhenri on 24 Oct 2018

hello,

really enjoying doing full stack dev with amplify et al keep up the great work. we too see that the more generic response would be better ala iam for aws console

any update?

thanks

hannersmatto on 9 Nov 2018

Bumping this, as it is a security issue on every website that calls Cognito directly from the browser. Even if you intercept the error return and write your own UI message, it is trivial to open the Console and see the message returned from Cognito.

The sad thing is that this was added as a "feature" by someone on the Cognito team...

driddle on 12 Dec 2018

👍3 👀2

It's still an issue. Not really a good thing to let an attacker know a particular username exists and only the password remains to be exploited. This must be fixed ASAP.

cc @yuntuowang

scorphus on 15 Feb 2019

👍2

Why is this problem neglected for a long time?
Does AWS neglect security?
Do users who use Cognito for their business correctly recognize this threat?

komikoni on 3 Mar 2019

👍3

As many others here I consider this highly problematic.

Not "only" for the security of the app, but in apps/services where the user's email address is being used as username (and many services do that) it might also violate the GDPR, since it is leaking information about natural persons, as it is easily possible to find out if a certain person is using a certain app/service by simply typing their email address into the logon field and hit enter.

schoorsch on 13 Jun 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.