Description
In a meeting “only for registrant” a user can use a registrant link and join with browser. In this case reports don’t show email (that is implicit in registrant link) so we have ghosts in a private meeting and we can’t know how registrant link they use!!
We do a test showing a dangerous system vulnerability.
Meeting: [REDACTED]
Meeting data: {
"agenda": "",
"assistant_id": "",
"created_at": "2021-04-08T14:02:58Z",
"duration": 50,
"host_email": "",
"host_id": "[REDACTED]",
"id": [REDACTED],
"join_url": "***",
"registration_url": "[REDACTED]",
"settings": {
"allow_multiple_devices": true,
"alternative_hosts": "",
"approval_type": 0,
"approved_or_denied_countries_or_regions": {
"enable": false
},
"audio": "both",
"auto_recording": "cloud",
"breakout_room": {
"enable": false
},
"close_registration": false,
"cn_meeting": false,
"contact_email": "***",
"contact_name": "[REDACTED]",
"device_testing": false,
"encryption_type": "enhanced_encryption",
"enforce_login": false,
"enforce_login_domains": "",
"global_dial_in_countries": [
"IT"
],
"global_dial_in_numbers": [
{
"country": "IT",
"country_name": "Italia",
"number": "+39 02124128823",
"type": "toll"
},
{
"country": "IT",
"country_name": "Italia",
"number": "+39 0694806488",
"type": "toll"
},
{
"country": "IT",
"country_name": "Italia",
"number": "+39 0200667245",
"type": "toll"
}
],
"host_video": true,
"in_meeting": false,
"jbh_time": 0,
"join_before_host": true,
"meeting_authentication": false,
"mute_upon_entry": true,
"participant_video": true,
"registrants_confirmation_email": true,
"registrants_email_notification": true,
"request_permission_to_unmute_participants": false,
"show_share_button": true,
"use_pmi": false,
"waiting_room": true,
"watermark": false
},
"start_time": "2021-04-08T14:10:00Z",
"start_url": "[REDACTED]",
"status": "waiting",
"timezone": "Europe/Rome",
"topic": "Attività 3",
"type": 2,
"uuid": "[REDACTED]"
}
We create meeting with API with a configuration like that:
$meeting_data = array (
'topic' => $this->data['modulo'][0]->activity_title,
'type' => '2',
'start_time' => $start_time,
'duration' => $duration,
'timezone' => 'Europe/Rome',
'agenda' => $this->data['modulo'][0]->annotazioni,
'settings' =>
array (
'host_video' => true,
'participant_video' => true,
'cn_meeting' => false,
'in_meeting' => false,
'join_before_host' => true,
'mute_upon_entry' => true,
'watermark' => false,
'use_pmi' => false,
'approval_type' => 0,
*'registration_type' => 1,*
'audio' => 'both',
'auto_recording' => 'cloud',
'registrants_email_notification' => true,
),
);
we don’t know if registration_type is OK or NOT but is not that problem.
We have generated TWO registered user with specific link.
During meeting i was able to JOIN meeting with three different device:
1- one for host
2- one for the first link with mobile device
3- one for the second link with a laptop
In the third device i have click on link and than choose JOIN FROM BROWSER. (NOTE: I have disable this link FROM SETTING but link are visible!! → FIRST BUG)
In the third device the webclient ask to me ONLY a username not an email…and also the email associated with registrant link are ignored and not tracked.
When i show the report i see:
[4] => stdClass Object
(
[id] => [REDACTED]
[user_id] =>[REDACTED]
[name] => [REDACTED]
[user_email] =>
[join_time] => 2021-04-08T14:06:28Z
[leave_time] => 2021-04-08T14:11:28Z
[duration] => 300
[attentiveness_score] =>
)
User don’t have any email associaded and i can’t know how register link have used! Is like a Ghost in a Private Meeting.
Is possible to solve this BUG?! And Also…This is a know bug of the platform ?
