AWS Cognito is sending SMS messages without my permission

4
votes

I noticed a strange charge for SMS messages being sent a few months back and since our code doesn't yet support sending SMS messages, I have been investigating it.

It turns out AWS Cognito is sending text messages when we call "UpdateUserPool" to +12064350128 (206-435-0128). This is not a phone number associated with our account, in our code, or with any of our personnel. What's worse is that this AWS account hosts only development environments where the public doesn't have access. So we know it's either an Amazon employee's number or a security leak (or both).

Has anybody else had this happen? A google for that phone number turned up nothing, other than it is probably from somebody in Seattle.

Does anybody know what kind of data is being sent in these messages or how to figure out what's in them? Is it passwords & confidential info?

I turned on SMS logging and this is all of the data I could gather:

{
    "notification": {
        "messageId": "975e37a9-a5f1-5397-b6d0-63fdbad40d83",
        "timestamp": "2018-10-31 21:21:41.756"
    },
    "delivery": {
        "destination": "+12064350128",
        "priceInUSD": 0.00645,
        "smsType": "Transactional",
        "providerResponse": "Message has been accepted by phone",
        "dwellTimeMs": 168,
        "dwellTimeMsUntilDeviceAck": 2514670
    },
    "status": "SUCCESS"
}
1
amazon-web-servicessecuritysmsamazon-cognito

1 Answers

7
votes

I received the following from AWS support. Looks like it's innocuous. Whew!

I completely understand your concern of AWS Cognito sending messages to phone number +12064350128. I got in touch with the Cognito team and found that it is an expected behaviour that when you make an UpdateUserPool API call, a message is sent out to +12064350128 and this applies to all AWS accounts. The phone number +12064350128 is an internal number and a message to this number is sent out to verify if Cognito and SNS are integrated correctly so that Cognito can send SMS to other numbers. Please note that no security information including passwords is being passed in the content of this SMS message, It's just a sample message indicating SNS is integrated with Cognito correctly.

Please be rest assured that we treat customer's data with utmost privacy and we have a strict security mechanism in place to check any fraudulent activities.

I also completely agree that the above behavior needs to be documented and hence I will be reaching out to the Cognito team to get this updated in our docs to avoid further confusion.