Amazon Cognito 1-Click Open Redirection via OAuth Error Handling Abuse

Researchers associated with Tenable have discovered a 1-click open redirection technique in Amazon Cognito that can be triggered by abusing the OAuth error-handling mechanism. The vulnerability stems from AWS’s OAuth implementation validation sequence: if validation fails due to an unsupported scope, mismatched PKCE parameters, or an unsupported response type, the error handling processes the failure and automatically issues an HTTP redirect to an attacker-controlled redirect_uri.

Because the identity platform evaluates these specific errors before any user interaction, the victim is redirected immediately without needing to be authenticated or having an active session. The process completely bypasses the OAuth consent screen, login prompts, and any warning prompts, resulting in a seamless 1-click open redirection. Attackers can exploit this to abuse Amazon Cognito’s highly trusted domain reputation (*.amazoncognito.com) to bypass traditional anti-phishing mechanisms and facilitate credential theft or malware delivery

Proof of Concept:

Setup:

1. Provision an Amazon Cognito User Pool and an associated OAuth App Client within an attacker-controlled AWS account.
2. Configure the App Client’s redirect_uri to point to an attacker-controlled domain that hosts the phishing payload or malware.
3. Other application configuration attributes are determined based on a specific attack path (see below for more details).

Attacker:

The attacker crafts a weaponized, yet structurally legitimate-looking, Amazon Cognito OAuth authorization link. By intentionally introducing parameter mismatches, the authorization server is forced into an error state. Four distinct error handling scenarios can fail open and trigger the automatic HTTP redirection:

1. “invalid_scope” error: Triggered when the authorization request includes a scope parameter not explicitly bound to the App Client’s allowed scopes, or by utilizing fabricated scopes.
2. “Missing_required_code_challenge_parameter” error: Exploits a malformed PKCE implementation by supplying either the code_challenge or code_challenge_method parameter in isolation.
3. “Unsupported_code_challenge_method” error: Triggered when the request supplies a valid code_challenge but specifies an invalid or unsupported hashing algorithm (e.g., explicitly passing plain when Amazon Cognito enforces S256).
4. “Unauthorized_client” error: Forced by creating a discrepancy between the response_type requested in the URI and the OAuth 2.0 grant types permitted within the App Client’s backend configuration.

The attacker sends a crafted link to the victim, depending on the scenarios, for example, for “invalid_scope” error:

https://[YOUR_DOMAIN].auth.[REGION].amazoncognito.com/oauth2/authorize?client_id=[YOUR_CLIENT_ID]&response_type=code&scope=fake). 

Victim:

• The victim clicks on the crafted link. Because the identity platform evaluates these specific malformed parameters prior to any requisite user interaction, the authorization server processes the failure and issues an immediate HTTP redirect.
• The victim is seamlessly and instantaneously routed to the attacker-controlled redirect_uri. This sequence executes silently, completely bypassing any login screens, OAuth consent dialogues, or interstitial warning prompts, rendering the attack highly evasive.