Zoom Video SDK session causes another user’s browser to appear logged in to my Zoom web account

Problem statement:

A user joined our web app (meet.talkplayground.com) built with Zoom Video SDK for Web. After the session, they went to zoom.com and saw my initials (“NV”) in the header, as if logged in to my account. They could not access any account pages, but the portal clearly displayed my identity. This was on their own machine, not mine.

Expected vs actual:

• Expected: Video SDK use should not log a third-party browser into my Zoom web account.

• Actual: After a Video SDK session, their browser showed my initials on zoom.com.

Details:

• We generate Video SDK JWTs server-side with our SDK Key/Secret.

• We do not use Meeting SDK, OAuth, start_url, or embed zoom.us pages.

• Unsure if any Video SDK resource requests could set or reuse zoom.us login cookies.

Repro request for Zoom:

1. Use a fresh Chrome profile.

2. Join a Video SDK session on our site using our JWT.

3. Visit zoom.com afterwards.

4. See if the browser shows the host account’s initials.

Ask:

• Confirm whether Video SDK can set or reuse zoom.us web login cookies.

• Confirm whether a Video SDK JWT could in any way result in a Zoom web-portal login state.

session ID
QwK85jzXSy+LLpho+C4/mA==

Hi @nventurino

Thanks for your feedback.

We have identified this issue and are currently investigating the root cause.

Thanks
Vic

@vic.yang any update?

Hi @nventurino

Apologies for the delayed response. We’ve identified the root cause of the issue, and we’ll fix it on our Web portal.

Thanks
Vic