"Sorry, you have been blocked" error when accessing Zoom API

Zoom Apps Configuration
Our app is running on node.js backend and a combination of VanillaJS/AngularJS/React microfrontends. The only relevant code here is our node.js backend.

Error Description
Since recently, all our requests to Zoom API fail with “403 Forbidden” response code. In the response body, we see the following:

Please enable cookies.

Sorry, you have been blocked

You are unable to access zoom.us

Why have I been blocked?

This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

What can I do to resolve this?

You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.
Cloudflare Ray ID: 7a7347446afdbb85 • Your IP: Click to reveal • Performance & security by Cloudflare

For example, this response we got to a request to api/v2/users/me/meetings. Same with all other requests to Zoom API.

We make these requests from our node.js backend. It has been working fine for more than a year, and now it suddenly started to fail. We didn’t change anything that we think could be related.

The issue affects both our Staging and Production environments. It affects users from different countries.

This is an urgent issue as it breaks key features of our system,

How To Reproduce
Open our app, try to register as a new user.
Or try to schedule a meeting as an existing user.

I pinged your team for more information on the team chat channel that we have. I’ll use that to ping our service engineering team to investigate the issue.

1 Like

I created ticket ZSEE-85061 for this and will keep you posted as the issue progresses.

1 Like

@MaxM Update: today the issue can no longer be reproduced. Everything works fine. Still, we would appreciate some insight why this happened and how can we avoid this in the future

Great! I’m glad to hear that everything is working as expected. Our team whitelisted your IP address and found the root cause. It seems that our rules blocked it because it detected a CVE-2018-14773 anomaly.

Just to be safe, I would confirm that your application is not using the X-Original-URL and X-Rewrite-URL request headers.

You shouldn’t run into this issue going forward but please reach out if you encounter any other questions or issues.

1 Like

Hi @MaxM ,

Thank you for resolving the issue!

It’s still strange that we got blacklisted automatically, but being whitelisted should mean we are safe for the future, I hope.

I’ve checked the code and didn’t find the headers they mentioned. We are using a custom “x-initial-origin” header (that I introduced for overcoming some CORS issues specific to our system); maybe it could have triggered the safety alarm.

Thanks again!

Hi @MaxM,
We are receiving these errors as well. We’ve checked the headers and tried clearing out all that are mentioned in this post. We are still getting blocked. Here’s one of our Cloudflare Ray IDs: 7a7cd16b8d77c64f

We have a few public IP address ranges, can we get those whitelisted?

We found that putting our IIS proxy in stealth mode got us around the issue.

Apologies on the delay in seeing your issue. I’m glad to hear that it is resolved! If you would like me to investigate this further please respond to the initial post you created and I’ll follow up with you.