AWS cognito medium security documentation change
Summary
Modified password reset error handling documentation to remove distinction between existing/nonexistent users and simplify response behavior
Security assessment
The change removes differentiation in error responses between existing and nonexistent users, which helps prevent user enumeration attacks (a security vulnerability) by standardizing responses. This addresses information disclosure risks.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pool-managing-errors.md b/cognito/latest/developerguide/cognito-user-pool-managing-errors.md index 991299e32..9f04650bf 100644 --- a//cognito/latest/developerguide/cognito-user-pool-managing-errors.md +++ b//cognito/latest/developerguide/cognito-user-pool-managing-errors.md @@ -178,8 +178 @@ Amazon Cognito returns the following responses to user password reset operations -When a user isn't found, is deactivated, or doesn't have a verified delivery mechanism to recover their password. Amazon Cognito handles existing and nonexistent users differently. - - * **Existing users** \- For existing users who don't have a verified email/phone for account recovery, Amazon Cognito returns an `InvalidParameterException`. - - * **Nonexistent users** \- For nonexistent users who don't have a verified email/phone for account recovery, Amazon Cognito returns both an `InvalidParameterException` and `CodeDeliveryDetails` with a simulated delivery medium. The simulated delivery medium is determined by the input username format and verification settings of the user pool. - - - +When a user isn't found, is deactivated, or doesn't have a verified delivery mechanism to recover their password, Amazon Cognito returns `CodeDeliveryDetails` with a simulated delivery medium for a user. The simulated delivery medium is determined by the input username format and verification settings of the user pool.