aws-lex-web-ui icon indicating copy to clipboard operation
aws-lex-web-ui copied to clipboard

Published 20 hours ago verified publisher icon aws-samples

Sensitive Information Exposed over Internet

Open reymundelosantos opened this issue 5 years ago • 1 comments

AWS poolID, App User Pool Client ID, app User Pool Name, bot Name details are exposed to public

reymundelosantos avatar Jul 02 '20 11:07 reymundelosantos

Hi @Dev-Grey,

Those parameters are visible to the client application (in this case the browser) so that it can point to the right resources.

The Cognito identifiers listed above are normally visible from the client side as they are used to point the user to the authentication endpoint(s) and to securely authenticate and obtain temporary credentials. Here are some references: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html https://aws.amazon.com/blogs/mobile/how-amazon-cognito-keeps-mobile-app-users-data-safe/ https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/

The Lex Bot name is used by the client (browser) to directly interact with the Lex service. This is required to interact with the Lex service directly from the client side.

Do you have a specific concern with those parameters being visible to the client?

atoa avatar Jul 13 '20 15:07 atoa