By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito pool allows duplicate confirmed email address aliases

0

Hello.
This may be a problem with Cognito and I am not sure if this is the correct place to report this.

We have a cogntio user pool set up with about 100,000 users currently, and growing. The attribute settings are set to using username to sign in but to also allow sign in with verified email, phone, or preferred username. We connect with the pool using the Java SDK.

Users can sign up by choosing email or phone (we haven't implemented preferred username) - or Google, Facebook or Apple. When confirming, we call confirmSignUp with forceAliasCreation=false. This causes an error if the user tries to use an existing verified email address. Which is fine. Usually.

However, occasionally a user is able to create a duplicate Cognito user with the same exact email address and both users are "confirmed" with the email address set to verified. How is this possible? My understanding is that it is impossible to have the same email address confirmed on two different users in the same pool with these settings.

The only way out of this is to manually delete one of the users.

Is this a known issue?

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
scottdco
asked 3 years ago2001 views
2 Answers
0

Ok - so ...... turns out the issue was NOT duplicate emails. The issue was whitespace

Users managed to get accounts with both "test@test.com" and "test@test.com " and sometimes " test@test.com" - the email attribute is not automatically trimmed and spaces before or after an email address are not considered invalid or anything else. Also, as far as cognito is concerned, these are treated as different email addresses.

In the UI, the email appears the same - because you can't see the rouge spaces.

The solution is to clean up these accounts and make sure these attributes are trimmed before the signup call.

scottdco
answered 3 years ago
0

I think it might be considered as a Cognito bug. Since even though you can trim the email using Java SDK, an attacker can sign up a new account using the same technique using Cognito API directly without using UI.

JackServerless
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content