Original Post: Password reset code brute-force vulnerability in AWS Cognito
This vulnerability was analyzed during Episode 76 on 11 May 2021
Race conditions on the web are one of my favorite vulnerability classes. Easy and often fairly impactful. In this case the race is against the rate-limiting of password reset token checks on AWS Cognito. It normally allowed 5-20 attempts per hour, but by making many at once you could get several attempts through the check before the count caught up.