AWS Cognito User Pool — Shared User Pools

Intro

This is the third blog post in our series about AWS Cognito security. In this post we are going to show how sharing a user pool between multiple applications may lead to users gaining unauthorized access to resources and functionality.

The issue of shared User Pools

As we discussed in our previous blog entries from our previous blog entries describing the structure of User Pools, Cognito allows you to connect multiple applications to a single User Pool via their separate app clients. A natural side effect of this setup is the fact that users from application A can sign into application B, since they use the same User Pool to identify a user. If this behavior is overlooked by the developers, application users may gain access to resources and functionality that they are not meant to have.

You can play with this scenario in our vulnerable Octopus Storage app, too. The application has a separate admin endpoint designed to manage storage users. This app uses a private Cognito app client and a server-side User Pool login flow.

The login page of the admin app does not offer sign-up functionality because admin accounts are meant to be provisioned via the Cognito panel.

Summary

User Pool should be considered a user directory with managed authentication. Any valid user from that user directory will be able to authenticate via any app clients attached to the user pool and, consequently, access the functionality of those app clients.

To prevent unauthorized access to multiple different applications, divide your User Pools for separate applications if you don’t plan to use them together. If that isn’t feasible, implement additional validation steps in the back-end code.

Credits

Research prepared by:

• Maksym Vatsyk

  • LinkedIn (https://www.linkedin.com/in/maksym-vatsyk/)

  • Twitter (https://twitter.com/adeadfed)

• Pavel Shabarkin

  • LinkedIn (https://www.linkedin.com/in/pavelshabarkin/)

  • Twitter (https://twitter.com/shabarkin)