resolved
Non-Production API Endpoints for the Device Farm Service Fail to Log to CloudTrail Resulting in Silent Permission Enumeration
Bug reported by Nick Frichette (Datadog) was disclosed at March 4, 2025, 7:30 pm | Insufficient Logging
The Device Farm service was found to have two non-production API endpoints that could be accessed using standard IAM credentials without generating CloudTrail logs. This allowed silent permission enumeration, where an adversary could test the permissions of compromised credentials without generating any audit trail.
resolved
Ability to Add and Verify Uncontrolled Mobile Numbers Leading to Account Takeover (ATO)
Bug reported by trev0ck was disclosed at March 4, 2025, 1:30 pm | Authentication Bypass Using an Alternate Path or Channel
The vulnerability allowed attackers to add and verify uncontrolled mobile numbers to user accounts, leading to account takeover. The OTP verification process was found to be vulnerable to manipulation, as the server failed to verify the integrity of the response sent to the client. This permitted attackers to bypass the OTP verification by modifying the server's response to indicate successful verification, even when the OTP was incorrect.