all InfoSec news
Discovering a weakness that allowed to partially bypass the login rate limiting of the AWS Console
Datadog Security Labs securitylabs.datadoghq.com
AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS.
The issue discussed in this post had an impact only on IAM users …
attacks authentication aws brute brute-force bypass console credential credential stuffing credential stuffing attacks discuss flow login passwords rate rate limit rate limiting requests weakness