Meeting Login Flow. When a user creates a new meeting, Zoom auto generates a link for people to join, in the form (dummy data below). I can easily parse the meeting URL to obtain the meeting ID. Is there a method to decrypt the meeting password? Notice the URL in the invitation in Figure 2 to “Join Zoom Meeting” includes a “pwd=” parameter followed by numerous seemingly random characters.
 
 

How to decode zoom password from link – how to decode zoom password from link:. Zoom Security Exploit – Cracking private meeting passwords

They seem to have mitigated it by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer. Therefore this attack no longer works. On March 31st, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID. Twitter was alive with people saying they were trying to join, but Zoom protects meetings with a password by default which was pointed out when the Government defended using Zoom.

Having also tried to join, I thought I would see if I could crack the password for private Zoom meetings. Over the next couple of days, I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting.

After trying to join the Cabinet Meeting, I poked about in the Zoom app and noticed the default passwords being 6 digits and numeric, meaning 1 million maximum passwords. A fairly standard principle of password security is to rate limit password attempts, to prevent an attacker from iterating over a list of candidate passwords and trying them all.

We understand that some of these changes are challenging, and we appreciate your patience as we scale up our support to meet the increased customer demand. Thank you for providing this information. In this case, do you see this when you submit a ticket through our customer support team. If so, you can submit a feature request through our Feedback Form.

This topic was automatically closed 30 days after the last reply. Thanks, Luke. Hey lja , Thank you for your question. Let me know if that helps. Hey lja , The pwd parameter was implemented for our Web Client specifically whereas the Web SDk is intended for building out your own Web Client where you could implement this feature if necessary. No password is required to be input, however, because the password is embedded in the link hidden in the encoded string of characters used to connect to the meeting.

What was the point of requiring a password, then? The other way to join a Zoom meeting is to enter the 9-digit Meeting ID; if you attempt to join a meeting using this method and a password was configured, a password prompt is displayed. This stops people attempting to connect to a password-protected meeting with only the Meeting ID, thus resulting in a reduction of Zoom-bombing.

That said, the bad actors who have been Zoom-bombing may still be able to use brute-force tactics to find valid Meeting IDs, by setting scripts running to continually attempt to connect to meetings.

There is a risk that someone may forward the invitation, in its entirety, to an unauthorized person who could then join the meeting, and would be in possession of the link with the embedded password and the actual password. Even if the password were not embedded in the link, the password is included in the invitation, so again the password is offering no security value.

Does the browser insert any risk to the details needed to join a meeting? As the link is https, the browser will start by asking the zoom. Some real examples follow-. Id: Pwd: 1ubfpn URL: us02web. Firstly it is trivial that the first bit of the url is the id itself, but i cant make out anything about the?

Perhaps it is hashed but I don’t know much about it. If this relation is found out it would make life much easier. It also doesn’t violate any privacy stuff since the user can join a meeting either he has id-pwd or the url or both. I found this thread on the official zoom website but it doesn’t help much.

How to decode meeting password from meeting link – API and Webhooks – Zoom Developer Forum

 
Let me know if that helps. Protect yourself from threats to your security online with an extended trial of our award-winning software. Learn more. Hot Network Questions.