Amazon Cognito is an AWS service that’s becoming increasingly popular in modern apps as it provides a complete solution for authentication, authorization, and user management. However, its implementation can easily be misconfigured leaving the door open for various cyber attacks. In this talk, we’ll go over some of these security misconfigurations and how to test for them either when you’re doing a security audit or bug bounty hunting then we’ll present a case study of a zero-interaction account takeover on Flickr and then provide practical tips for developers on how to mitigate and avoid these misconfigurations.