Cognito pool allows duplicate confirmed email address aliases

0

Hello.
This may be a problem with Cognito and I am not sure if this is the correct place to report this.

We have a cogntio user pool set up with about 100,000 users currently, and growing. The attribute settings are set to using username to sign in but to also allow sign in with verified email, phone, or preferred username. We connect with the pool using the Java SDK.

Users can sign up by choosing email or phone (we haven't implemented preferred username) - or Google, Facebook or Apple. When confirming, we call confirmSignUp with forceAliasCreation=false. This causes an error if the user tries to use an existing verified email address. Which is fine. Usually.

However, occasionally a user is able to create a duplicate Cognito user with the same exact email address and both users are "confirmed" with the email address set to verified. How is this possible? My understanding is that it is impossible to have the same email address confirmed on two different users in the same pool with these settings.

The only way out of this is to manually delete one of the users.

Is this a known issue?

已提問 2 年前檢視次數 1964 次
2 個答案
0

Ok - so ...... turns out the issue was NOT duplicate emails. The issue was whitespace

Users managed to get accounts with both "test@test.com" and "test@test.com " and sometimes " test@test.com" - the email attribute is not automatically trimmed and spaces before or after an email address are not considered invalid or anything else. Also, as far as cognito is concerned, these are treated as different email addresses.

In the UI, the email appears the same - because you can't see the rouge spaces.

The solution is to clean up these accounts and make sure these attributes are trimmed before the signup call.

已回答 2 年前
0

I think it might be considered as a Cognito bug. Since even though you can trim the email using Java SDK, an attacker can sign up a new account using the same technique using Cognito API directly without using UI.

已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南