BruCON 0x0B has ended
Friday, October 11 • 16:30 - 17:30
Internet-Scale analysis of AWS Cognito Security

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
This talk will show the results of an internet-scale analysis of the security of AWS Cognito configurations. During this research it was possible to identify 2500 identity pools, which were used to gain access to more than 13000 S3 buckets (which are not publicly exposed), 1200 DynamoDB tables and 1500 Lambda functions.

The talk starts with an introduction to the AWS Cognito service and how it can be configured by the developers to give end-users direct access to AWS resources such as S3 and DynamoDB. Access is restricted by IAM policies which are under the developer's control and, in many cases, do not follow the least privilege principle.

The configuration weakness is first explained step by step for a specific AWS account and Cognito identity pool using a series of demos, the same concepts are then automated to perform an internet-scale analysis of AWS Cognito configurations.

Because Cognito identity pool IDs are UUID4 it was necessary to download thousands of APKs from the Google Play store, decompile them and extract the identifiers. Other sources such as Common Crawl were also used to identify valid identifiers. The tools used to perform these tasks will be made public.

Each Cognito identity pool that was configured with an unauthenticated role was analyzed using an in-depth permission brute-force tool that identifies potential breaches to least privilege principle.

The talk ends with recommendations for developers that want to configure the service in a secure manner, and an analysis of potential reasons for this widespread issue such as poor documentation and examples on AWS site

avatar for Andres Riancho

Andres Riancho

Andrés Riancho is an application and cloud security expert that leads the open source w3af project, and provides high-quality security assessment services to companies around the world.In the research field, he identified new techniques which can be used to escalate privileges in... Read More →

Friday October 11, 2019 16:30 - 17:30 CEST
01. Westvleteren University