What’s Up, Everyone?

Hope y’all are doing awesome! In this post, I’m gonna spill the beans on a bug I discovered while poking around a public program, I won’t be dropping any details about the actual target—just the relevant bits about how it uses Amazon Cognito for its auth and user management.

Quick Intro to Amazon Cognito

Amazon Cognito basically hooks you up with easy sign-up, sign-in, and user access controls for websites and apps. Users can log in using a regular ol’ username and password or go through social login options like Google, Apple, or Facebook.

Two core pieces of Cognito:

1. User Pools: They’re like user directories that handle registration and login flows.
2. Identity Pools: Let you give your users access to other AWS stuff.

Typical Cognito Scenarios

1. Signing in with a User Pool

• You can let your users sign in straight through Cognito or via a third-party IdP (like Google or Facebook).
• After a successful login, Cognito returns tokens that can be used to call protected APIs or to access other AWS services.

2. Using Cognito for Server-Side Access

• Once you’re signed in, you get tokens from Cognito.
• These tokens can help you manage who can do what on your server.
• You can also create user pool groups to organize and limit permissions for different people.