Full Account Takeover via AWS Cognito Misconfiguration

Executive Summary

AWS Cognito is a widely adopted identity management service that handles authentication and authorization for web and mobile applications. However, a critical misconfiguration in how Cognito User Pools handle attribute modification can lead to complete account takeover. When applications fail to implement proper attribute write permissions and use the email attribute instead of the sub claim for user identification (more on this later), attackers can leverage their own valid access token to modify the email attribute to match a victim's email address, effectively hijacking victim accounts without requiring their credentials.