Unauth meetings access

Google Meets app can be controlled in multiple ways from the GSuite admin panel. Administrator of companies can set rules for example who can automatically join the meeting. By default, guests (users not in the same organization) will automatically join the meeting however this can be prevented easily by going to admin.google.com and changing the meets permission. Once the permission is set, it requires creator of the meeting to accept the invite:

Instead of joining directly from the web, a user can also join from their phone. For this, they will need the meeting phone number and pin. This information is available to the creator and to the users who are invited to the meeting. When you add a calendar event and add external guests, they will also receive this information on their invitation:

My goal from an attacker perspective was to get inside a meeting without being invited to it. This meant that I will not have the phone number and the pin and also will not be invited in any way to the meeting. As an attacker, when I visited meet.google.com, it asked me for a meeting code and I provided the meeting code of my victim: ein-yhyc-sjb. This then initiated a request where it asked the meeting organizer if they want to accept me in the meeting. However, at the same time, in Burp I noticed multiple requests being sent which could potentially be useful. One of the request was to GetMeetingSpace. The request looked something along the line of this:

POST /$rpc/google.rtc.meetings.v1.MeetingSpaceService/GetMeetingSpace HTTP/1.1

Host: meetings.clients6.google.com

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate, br

Referer: https://meet.google.com/ein-yhyc-sjb

x-goog-meeting-token: 1531145784915;<TOKEN>

x-goog-meeting-debugid: <DEBUGID>

x-goog-authuser: 0

authorization: SAPISIDHASH <AUTH>

content-type: application/x-protobuf

x-goog-api-key: API_KEY

x-goog-encode-response-if-executable: base64

Content-Length: 21

Origin: https://meet.google.com

Cookie: <COOKIES>

Connection: close

 spaces/NMF_JYABJGcB

In the request, it passes the spaces/ID to GetMeetingSpace and gather information about the meeting. As a response of the request it returned a base64 string:

ChNzcGFjZXMvTk1GX0pZQUJKR2NCEgxlaW4teWh5Yy1zamIaJGh0dHBzOi8vbWVldC5nb29nbGUuY29tL2Vpbi15aHljLXNqYiACKiQKDCsxMjE4Mjg4MjgxOBIJOTI3MTY3NzUwGgJVUyIFZW4tVVM

When decoded this base64 string includes the phone number and the pin for the meeting:

spaces/NMF_JYABJGcB  ein-yhyc-sjb $https://meet.google.com/ein-yhyc-sjb  *$

 +12182882818   927167750  US" en-VVM

From an attacker perspective, I no longer needed to wait for the admin to accept my invitation because I could directly join the meeting by phone. Google will automatically add you to the meeting if you call the number and provide the pin.