I am in the process of submitting my Zoom OAuth app, and in the security reviewing, the reviewer stated that my old version of the API is exposing sensitive information
The old version of the API creates new scheduled meetings on my Zoom account and using custCreate
with a JWT app for all my end users by returning the start_url
to the person who creates the meeting from my app and the join_url
to whom ever the host sends it to.
The reviewer stated that the zak
query param which is an encoded JWT, can be decoded to expose Zoom account information like zm skm
in the headers and uid
in the payload.
I have asked the reviewer that the zak
is part of the start_url
sent in the response of the meeting creating Zoom endpoint and it needs to be there so we can redirect the user who creates the meeting to Zoom as a meeting host.
And I am not sure what kind of bad things people can do with the decoded JWT. The reviewer takes a bit of time to reply, so that is why I am asking here. What should I do to unblock the reviewing progress ASAP? I need this app published ASAP, because I am running late on the deadline, so getting fast replies is really critical.
Please note that the reviewer has asked for the above details to my old API which is using the JWT app, and not the new API which is using the OAuth app, which is the one I am trying to publish.