I am able to join a meeting that requires registration without registering

Zoom API
#1

Description
I am creating meetings with approval_type: 0 and registration_type: 3. On creating a registration I get the join url, and send it to the registered user. The join url includes the meeting id, registrant token, and encrypted password so that they can join the meeting with one click.

Error
Anyone can just take the meeting id and encrypted password from the join url and access the meeting without registering. There are two problems here:

  1. Joining the meeting doesn’t actually require a registrant token.
  2. The encrypted password can be typed in as-is (without decrypting it), and it is accepted.

Which App Type (OAuth / Chatbot / JWT / Webhook)?
JWT

Which Endpoint/s?
POST /users/{userId}/meetings
POST /meetings/{meetingId}/registrants

How To Reproduce (If applicable)

Screenshots (If applicable)

Additional context

#2

Hey @Bright,

Let me know if this clears up the confusion. If you are logged into your browser as the meeting host, and click on the participants unique registration join_url, or a constructed join_url, you will be admitted to the meeting, but as the host / creator of the meeting since your Zoom session overrides the participant join url. Basically Zoom detects the meeting host is already logged in, and then starts the meeting.

I tested this using an incognito browser that I (the meeting host) was not signed into, and the flow was expected, I was directed to register for the meeting:

Screen Shot 2020-07-14 at 3.34.59 PM
Screen Shot 2020-07-14 at 3.34.59 PM3584×2278 545 KB

Try exactly what you were doing, but either make sure you are logged out of your Zoom account on your browser, or use a private browsing session to emulate the participant not being logged into the host account.

Let me know what you see. :slight_smile:

Thanks,
Tommy

#3

I am not logged into a zoom account and am able to access meetings that require registration by using the meeting id and then typing in the encrypted password.

#4

Here are the steps:

  1. Someone sends you (or tweets) their join url of the form https://zoom.us/w/[meetingId]?tk=[registrationToken]&pwd=[encryptedPassword]
  2. You open your zoom app, logged in as someone who has not registered for this meeting
  3. Click join meeting, type in the meetingId
  4. You are prompted for a password, you type in the encryptedPassword
  5. You’re in. No registration necessary
#5

@Bright

1] If you enter the encrypted password, it will still ask you to register for the meeting.

2] Once you give your name and email, then it will let you enter the email only if the approval is automatic.

3] If the approval is manual, then after you register, you will have to wait until your registration is approved by the host.

I hope this helps.

#6

No this actually not true. It does not ask me to register, it allows me to enter the meeting without asking me to register. Do I need to send you a screen recording?

#7

Hi @Bright,

If you’re seeing an instance where one of the above points is not observed, an example would help us to take a closer look!

Thanks,
Will