Open hausermatt opened 8 months ago
@hausermatt this is a service side issue, I'll raise to the Connect team. Will update here when they have any info to share.
Moving this to the aws/aws-sdk
repository for visibility, since it impacts other SDKs too.
P103541428
has this been looked at? able to repo?
No updates from the service team yet.
@hausermatt
To be able to investigate it further, the Amazon Connect team is asking for:
@hausermatt have you had the chance to look into getting these info? ⬆️
Describe the bug
When calling the API to monitor a contact https://docs.aws.amazon.com/connect/latest/APIReference/API_MonitorContact.html. I'm getting a successful response as well as the agent actually being able to silently monitor the call, even though the agent just has the Agent default security profile.
Expected Behavior
The API call should fail with a 403, probably with a
AccessDeniedException
. Or really any kind of successful response but with a body, result that does end up with the agent actually listening in, as again, they do not have the permission.Current Behavior
The agent was able to listen in to the conversation, when they clicked barge (through streams API) that action was also allowed.
Reproduction Steps
Possible Solution
deny this request. The problem is our client is expecting an error so that we can surface a similar message on our client app and the agent cannot monitor/barge in. This bug is a vulnerability that could allow ANY agent listen in on other agent phone calls.
Additional Information/Context
No response
AWS Java SDK version used
aws-java-sdk-connect-1.12.534
JDK version used
11
Operating System and version
linux