Am doing a pen test on a client system using AWS Cognito and userpools for authentication using the client side SDK provided by AWS.
during the forget password flow, I noticed that Cognito request returns 400 with a payload of
__type UserNotFoundException message Username/client id combination not found. and 200 when a user is found
CodeDeliveryDetails {} AttributeName email DeliveryMedium EMAIL Destination j***@g***.com Is this considered a vulnerability? It seems to be for me. Its kinda a leak of information. When anyone can check if an email has an account with my app by calling this url.
Another attack vector would be brute forcing against known emails for a list of users on the app for marketing or phishing purposes.
ideally for this flow you would want Cognito to return 200 regardless of if the email exist or not.
I know what is considered a vulnerability is never black and white but this seems to be an issue for me given AWS is so big and trusted.
