Zoom SDK Keys

ID

zoom_sdk_keys

Severity

high

Vendor

Zoom

Family

Access key

Description

Zoom Video Communications is a communications technology company.

Its SDK allows to integrate Zoom features into native apps. Apps are authenticated with a SDK key and secret.

Security

Any hardcoded Zoom SDK Key and Secret is a potential secret reported by this detector.

Accidentally checking-in the key or secret to source control repositories could compromise your Zoom account.

Examples

ZOOM_ID=mvczmzwu9mqbvp2fxghn
ZOOM_SECRET=7bxsy97epssj2m4vwfenggj5u77nkep25

Mitigation / Fix

  1. Remove the Key and Secret from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). he SDK secret can be rotated from the developer dashboard.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://marketplace.zoom.us/docs/guides/build/sdk-app