Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS Cognito is sending SMS messages without my permission

I noticed a strange charge for SMS messages being sent a few months back and since our code doesn't yet support sending SMS messages, I have been investigating it.

It turns out AWS Cognito is sending text messages when we call "UpdateUserPool" to +12064350128 (206-435-0128). This is not a phone number associated with our account, in our code, or with any of our personnel. What's worse is that this AWS account hosts only development environments where the public doesn't have access. So we know it's either an Amazon employee's number or a security leak (or both).

Has anybody else had this happen? A google for that phone number turned up nothing, other than it is probably from somebody in Seattle.

Does anybody know what kind of data is being sent in these messages or how to figure out what's in them? Is it passwords & confidential info?

I turned on SMS logging and this is all of the data I could gather:

{
    "notification": {
        "messageId": "975e37a9-a5f1-5397-b6d0-63fdbad40d83",
        "timestamp": "2018-10-31 21:21:41.756"
    },
    "delivery": {
        "destination": "+12064350128",
        "priceInUSD": 0.00645,
        "smsType": "Transactional",
        "providerResponse": "Message has been accepted by phone",
        "dwellTimeMs": 168,
        "dwellTimeMsUntilDeviceAck": 2514670
    },
    "status": "SUCCESS"
}
like image 690
Ryan Shillington Avatar asked Nov 06 '18 13:11

Ryan Shillington


People also ask

Is AWS Cognito safe?

Amazon Cognito provides a secure identity store (user pools) that scales to millions of users. User pools securely store user profile data for users who sign-up directly and for federated users who sign-in with external identity providers.

Can you text in Cognito?

Amazon Cognito uses Amazon Simple Notification Service (Amazon SNS) for delivery of SMS text messages. If you are sending a text message through Amazon Cognito or Amazon SNS for the first time, Amazon SNS places you in a sandbox environment.

How do I verify a phone number with Cognito?

Amazon Cognito can automatically verify email addresses or phone numbers. To do this verification, Amazon Cognito sends a verification code or a verification link. For email addresses, Amazon Cognito can send a code or a link in an email message. For phone numbers, Amazon Cognito sends a code in an SMS text message.

How do I verify a Cognito user?

When a user updates their email address or phone number in your app, Amazon Cognito immediately sends a message with a verification code to a user if you configured your user pool to automatically verify that attribute. The user must then provide the code from the verification message to your app.


1 Answers

I received the following from AWS support. Looks like it's innocuous. Whew!

I completely understand your concern of AWS Cognito sending messages to phone number +12064350128. I got in touch with the Cognito team and found that it is an expected behaviour that when you make an UpdateUserPool API call, a message is sent out to +12064350128 and this applies to all AWS accounts. The phone number +12064350128 is an internal number and a message to this number is sent out to verify if Cognito and SNS are integrated correctly so that Cognito can send SMS to other numbers. Please note that no security information including passwords is being passed in the content of this SMS message, It's just a sample message indicating SNS is integrated with Cognito correctly.

Please be rest assured that we treat customer's data with utmost privacy and we have a strict security mechanism in place to check any fraudulent activities.

I also completely agree that the above behavior needs to be documented and hence I will be reaching out to the Cognito team to get this updated in our docs to avoid further confusion.

like image 52
Ryan Shillington Avatar answered Sep 28 '22 11:09

Ryan Shillington