When creating a meeting with registration via API, the following security issues exist:
Critical security risk / bug?
When anyone register for a meeting, they get the meeting ID and passcode. If they join by phone using meeting ID / passcode, it allows them without requiring a participant ID or anything else.
Therefore we have non-registered users joining by phone and there is no way for the host to know that. This leads to a big security risk.
How do we fix that?
(If they try to join through web using just that, it correctly does not allow them).
Not ideal, may be expected functionality?
There does not seem to be a way to completely disable the registration page or redirect it to only registering through our website. If someone in-meeting copies the meeting link, anyone who gets it goes to a Zoom registration page instead of our website page (or instead of receiving an error message or similar, which would be ideal). This leads to people trying to register through the Zoom registration page.
- Is the only workaround to use meeting.registration.created webhooks to listen for that, somehow delete their registration via API, and then email them to register on the actual reg page (on our website)?
Is there any workaround?
I haven’t tested this on webinars, but do the same issues exist for webinars?
And lastly, a side note - is there any way to disable the “Your participant has joined your meeting” email that hosts get? If they created the meeting through our platform, that can cause confusion.
Thank you!