MonitorContact allows an agent with insufficient permissions to listen in (monitor) a contact

hausermatt commented 8 months ago

Describe the bug

When calling the API to monitor a contact https://docs.aws.amazon.com/connect/latest/APIReference/API_MonitorContact.html. I'm getting a successful response as well as the agent actually being able to silently monitor the call, even though the agent just has the Agent default security profile.

Expected Behavior

The API call should fail with a 403, probably with a AccessDeniedException. Or really any kind of successful response but with a body, result that does end up with the agent actually listening in, as again, they do not have the permission.

Current Behavior

The agent was able to listen in to the conversation, when they clicked barge (through streams API) that action was also allowed.

Reproduction Steps

final MonitorContactRequest monitorContactRequest = new MonitorContactRequest()
                .withContactId('our-contact-id')
                .withInstanceId('our-instance-id')
                .withUserId('id-of-agent-with-insufficient-permissions')
                .withAllowedMonitorCapabilities(['SILENT_MONITOR','BARGE']);
        MonitorContactResult result = amazonConnect.monitorContact(monitorContactRequest));

Possible Solution

deny this request. The problem is our client is expecting an error so that we can surface a similar message on our client app and the agent cannot monitor/barge in. This bug is a vulnerability that could allow ANY agent listen in on other agent phone calls.

Additional Information/Context

No response

AWS Java SDK version used

aws-java-sdk-connect-1.12.534

JDK version used

11

Operating System and version

linux

debora-ito commented 8 months ago

@hausermatt this is a service side issue, I'll raise to the Connect team. Will update here when they have any info to share.

Moving this to the aws/aws-sdk repository for visibility, since it impacts other SDKs too.

P103541428

hausermatt commented 8 months ago

has this been looked at? able to repo?

debora-ito commented 8 months ago

No updates from the service team yet.

debora-ito commented 5 months ago

@hausermatt

To be able to investigate it further, the Amazon Connect team is asking for:

A requestId of a recent MonitorContact call, OR the values of InstanceId and agent's UserId
What permissions did the role have when the MonitorContact operation was called

debora-ito commented 5 months ago

@hausermatt have you had the chance to look into getting these info? ⬆️

aws / aws-sdk