Variable response times in the AWS Sign-in IAM user login flow allowed for the use of brute force enumeration techniques to identify valid IAM usernames in an arbitrary AWS account.
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Link | Tags |
---|---|
https://aws.amazon.com/security/security-bulletins/AWS-2025-002/ | vendor advisory |