AWS Cognito forgotPassword strange response when user does not exist

Question

I'm using amazon-cognito-identity-js to reset user password. I call user.forgotPassword() and that all works fine, the user receives a verification code, etc.

However, something strange happens when I enter a non-existing username!

I do everything properly, I create a user = new CognitoUser(...) object with my pool and some random username. And then, when I call user.forgotPassword(...), onSuccess is triggered, and I get something like this as a response:

CodeDeliveryDetails: Object { AttributeName: "phone_number", DeliveryMedium: "SMS", Destination: "+*******5651" }

or, if I insist on email recovery instead of SMS:

CodeDeliveryDetails: Object { AttributeName: "email", DeliveryMedium: "EMAIL", Destination: "4***@g***" }

Is Cognito really sending random people SMSs and emails?!? I swear I don't have users with any similar email or phone in my User Pool. O_o

Answer 1

This is a common security feature for avoiding user enumeration, ie, identify if a given username/email is valid in the platform, which can lead to attacks like brute-forcing or credential stuffing.

In order to avoid this vulnerability, it is recommended that the response content (and timing) to operations like sign in, sign up and password reset is the same for valid or invalid usernames and this is what Cognito is doing by sending a fake response stating that a code has been sent to a simulated email address or phone number, but none is sent.

From Cognito Developer Guide on Managing error responses:

ForgotPassword

When a user isn't found, is deactivated, or doesn't have a verified delivery mechanism to recover their password, Amazon Cognito returns CodeDeliveryDetails with a simulated delivery medium for a user. The simulated delivery medium is determined by the input user name format and verification settings of the user pool.