Hunting for Amazon Cognito Security Misconfigurations


August 25, 2023




Track 1

Amazon Cognito is an AWS service that’s becoming increasingly popular in modern apps as it provides a complete solution for authentication, authorization, and user management. However, its implementation can easily be misconfigured leaving the door open for various cyber attacks. In this talk, we’ll go over some of these security misconfigurations and how to test for them either when you’re doing a security audit or bug bounty hunting then we’ll present a case study of a zero-interaction account takeover on Flickr and then provide practical tips for developers on how to mitigate and avoid these misconfigurations.

Hacker Advisory Board


Yassine Aboukir is a principal security consultant specializing in application and cloud security working with organizations from various industries. Yassine is also a proficient bug bounty hunter actively hacking on the HackerOne platform where he’s a member of the hacker advisory board, globally ranked in the top 20 hackers, won MVH title and 1st place at H1-303 live hacking event held in Denver. He has spoken at various international security conferences and enjoys meeting and connecting with like-minded people.