Zoom API JWT

ID

zoom_api_jwt

Severity

high

Vendor

Zoom

Family

API Token

Description

Zoom Video Communications is a communications technology company.

Its API give programmatically access to Zoom features and enable to integrate external services with it. JWT can be used for server-to-server interactions, they can be generated with an API key and secret or directly from the developer dashboard.

JSON Web Tokens (JWT) represent claims securely between two parties. They follow the open standard RFC 7519.

JWT are JSON objects containing the claims and signed using HMAC or public key/private keypair. It contains three parts: a header, a payload and a signature. header and payload are base-64 encoded JSON objects.

Security

Any hardcoded Zoom API JWT is a potential secret reported by this detector.

Accidentally checking-in the token to source control repositories could compromise your Zoom account.

Examples

var jwt = "Bearer eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOm51bGwsImlzcyI6ImpmM0tFWFhvUnBxYTMxam92VERBd0EiLCJleHAiOjI4NDQ4MDE5NDAsImlhdCI6MTYyMzg3MTc5NX0.6WItA9SzXDFA4gaWftCPx2E94Xj6URS5eWuRXZgvAfY";

Mitigation / Fix

  1. Remove the Token from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). Go to your app dashboard and regenerate the API secret to revoke a JWT.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://marketplace.zoom.us/docs/guides/build/jwt-app