Password Reset Code Rate-Liming Bypass in AWS Cognito

We discussed this vulnerability as part of our weekly podcast on 11 May 2021

Race conditions on the web are one of my favorite vulnerability classes. Easy and often fairly impactful. In this case the race is against the rate-limiting of password reset token checks on AWS Cognito. It normally allowed 5-20 attempts per hour, but by making many at once you could get several attempts through the check before the count caught up.