Username Harvesting

AWS Cognito has several username-harvesting options that we can leverage if they are configured. There will always be a chance that a developer is displaying a username directly on the page you are on. This can be used to harvest valid vs invalid users. At the protocol level, AWS Cognito will send a 404 message for users not existing on the system. The fact that a 200 OK is a valid user and a 404 Not Found is an invalid user means that usernames can be harvested on a system. This is not the only way. AWS Cognito also has timing-based vulnerabilities that we can attack to enumerate users. Abusing the system's MFA portion can lead to user enumeration. One of the items we have found is that Cognito supports passwordless authentication schemas, such as email sign-on, where the user requests an email to log in. The issue stems from when you return the messages once you request an email to login. Users on the system will have their emails crafted and sent before it returns a status message. This time appears to be measured in seconds vs. users that do not exist that return in milliseconds. This means we can use timing-based attacks to enumerate valid vs. invalid users.