Zoom API Keys

ID

zoom_api_keys

Severity

high

Vendor

Zoom

Family

Access key

Description

Zoom Video Communications is a communications technology company.

Its API give programmatically access to Zoom features and enable to integrate external services with it. OAuth apps can access users' authorized data using OAuth2.0 with a client id and secret.

Security

Any hardcoded Zoom API Key or Secret is a potential secret reported by this detector.

Accidentally checking-in the key or secret to source control repositories could compromise your Zoom account.

Examples

ZOOM_ID=mvczmzwu9mqbvp2fxghn
ZOOM_SECRET=7bxsy97epssj2m4vwfenggj5u77nkep25

Mitigation / Fix

  1. Remove the Key and Secret from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). The client secret can be rotated from the developer dashboard.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://marketplace.zoom.us/docs/guides/build/oauth-app