- Newest
- Most votes
- Most comments
Ok - so ...... turns out the issue was NOT duplicate emails. The issue was whitespace
Users managed to get accounts with both "test@test.com" and "test@test.com " and sometimes " test@test.com" - the email attribute is not automatically trimmed and spaces before or after an email address are not considered invalid or anything else. Also, as far as cognito is concerned, these are treated as different email addresses.
In the UI, the email appears the same - because you can't see the rouge spaces.
The solution is to clean up these accounts and make sure these attributes are trimmed before the signup call.
I think it might be considered as a Cognito bug. Since even though you can trim the email using Java SDK, an attacker can sign up a new account using the same technique using Cognito API directly without using UI.
Relevant content
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago