- 最新
- 投票最多
- 评论最多
Ok - so ...... turns out the issue was NOT duplicate emails. The issue was whitespace
Users managed to get accounts with both "test@test.com" and "test@test.com " and sometimes " test@test.com" - the email attribute is not automatically trimmed and spaces before or after an email address are not considered invalid or anything else. Also, as far as cognito is concerned, these are treated as different email addresses.
In the UI, the email appears the same - because you can't see the rouge spaces.
The solution is to clean up these accounts and make sure these attributes are trimmed before the signup call.
I think it might be considered as a Cognito bug. Since even though you can trim the email using Java SDK, an attacker can sign up a new account using the same technique using Cognito API directly without using UI.
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 1 年前