I am in the process of submitting my Zoom OAuth app, and in the security reviewing, the reviewer stated that my old version of the API is exposing sensitive information
The old version of the API creates new scheduled meetings on my Zoom account and using
custCreate with a JWT app for all my end users by returning the
start_url to the person who creates the meeting from my app and the
join_url to whom ever the host sends it to.
The reviewer stated that the
zak query param which is an encoded JWT, can be decoded to expose Zoom account information like
zm skm in the headers and
uid in the payload.
I have asked the reviewer that the
zak is part of the
start_url sent in the response of the meeting creating Zoom endpoint and it needs to be there so we can redirect the user who creates the meeting to Zoom as a meeting host.
And I am not sure what kind of bad things people can do with the decoded JWT. The reviewer takes a bit of time to reply, so that is why I am asking here. What should I do to unblock the reviewing progress ASAP? I need this app published ASAP, because I am running late on the deadline, so getting fast replies is really critical.
Please note that the reviewer has asked for the above details to my old API which is using the JWT app, and not the new API which is using the OAuth app, which is the one I am trying to publish.