About "pwd" in meeting URLs

tonatihus · April 25, 2022, 9:07pm

Hello everyone!
I’d like to ask for your help to understand something I’ve been discussing with some colleagues.

Searching for info about the “pwd” parameter in meeting URLs, I found the following forum entry:

where a community advocate answered “releasing the method for hashing the password could allow attackers to bypass a unique join URL and enter a meeting directly, without being invited”

My question is:
What’s the real reason to obfuscate (encrypting or hashing it) the pwd?

As I see it, if an attacker somehow obtains the URL, she/he CAN enter a meeting directly, without being invited.

Thanks in advance.

donte.zoom · April 5, 2023, 5:56pm

@tonatihus ,

Welcome to the Zoom Developer Forum! I’m sorry for not getting back to you sooner – I am happy to help! This is a great question. When you attacker, can you share what kind of attack? Also, I should note there are many ways one can prevent a malicious user from joining the meeting. Here is some great resource on this topic:

Okta Authentication for E2EE brings identity management right into your meeting

Zoom a Leader in 2022 Gartner® Magic Quadrant™ for UCaaS, Worldwide

I am looking for to hearing back from you!

Topic		Replies	Views
How to decode meeting password from meeting link API and Webhooks	7	31593	May 1, 2021
Decoding the web url pwd for the web sdk Web	10	3127	March 27, 2021
Invite URL password hash API and Webhooks	16	33220	June 17, 2020
Created meeting with password, get URL with ?pwd=..., but still prompted for password when clicked API and Webhooks	3	3858	August 21, 2020
Using pwd vs numeric password API and Webhooks	4	1628	August 21, 2020

About "pwd" in meeting URLs

Okta Authentication for E2EE brings identity management right into your meeting

Zoom a Leader in 2022 Gartner® Magic Quadrant™ for UCaaS, Worldwide

Related Topics