Password reset code brute-force vulnerability in AWS Cognito

April 30, 2021

Pentagrid AG

The password reset function of AWS Cognito allows attackers to change the account password if a six-digit number (reset code) sent out by E-mail is correctly entered.

This article shows how it was done.

The issue was fixed by AWS on 2021-04-20.

Edit this page

Recent posts