MonitorContact allows an agent with insufficient permissions to listen in (monitor) a contact

[hausermatt]

Describe the bug

When calling the API to monitor a contact https://docs.aws.amazon.com/connect/latest/APIReference/API_MonitorContact.html. I'm getting a successful response as well as the agent actually being able to silently monitor the call, even though the agent just has the Agent default security profile.

Expected Behavior

The API call should fail with a 403, probably with a AccessDeniedException . Or really any kind of successful response but with a body, result that does end up with the agent actually listening in, as again, they do not have the permission.

Current Behavior

The agent was able to listen in to the conversation, when they clicked barge (through streams API) that action was also allowed.

Reproduction Steps

final MonitorContactRequest monitorContactRequest = new MonitorContactRequest()
                .withContactId('our-contact-id')
                .withInstanceId('our-instance-id')
                .withUserId('id-of-agent-with-insufficient-permissions')
                .withAllowedMonitorCapabilities(['SILENT_MONITOR','BARGE']);
        MonitorContactResult result = amazonConnect.monitorContact(monitorContactRequest));

Possible Solution

deny this request. The problem is our client is expecting an error so that we can surface a similar message on our client app and the agent cannot monitor/barge in. This bug is a vulnerability that could allow ANY agent listen in on other agent phone calls.

Additional Information/Context

No response

AWS Java SDK version used

aws-java-sdk-connect-1.12.534

JDK version used

11

Operating System and version

linux

[debora-ito]

@hausermatt this is a service side issue, I'll raise to the Connect team. Will update here when they have any info to share.

Moving this to the aws/aws-sdk repository for visibility, since it impacts other SDKs too.

P103541428

[hausermatt]

has this been looked at? able to repo?

[debora-ito]

No updates from the service team yet.

[debora-ito]

@hausermatt

To be able to investigate it further, the Amazon Connect team is asking for:

• A requestId of a recent MonitorContact call, OR the values of InstanceId and agent's UserId
• What permissions did the role have when the MonitorContact operation was called

[debora-ito]

@hausermatt have you had the chance to look into getting these info? ⬆️

[tim-finnigan]

Please follow up in your SDK repo

[github-actions]

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.