The organiser of a recent Zoom meeting I attended provided me with only the meeting ID and meeting password, instead of simply giving me the meeting link, as people normally do.

This being a recurring meeting, it was a bit inconvenient to regularly have to copy and paste the meeting ID and meeting password into the Zoom client. I decided to try to generate a meeting link and bookmark it or something.

My attempts

My first naïve attempt was to host a meeting of my own, get a meeting link, and substitute the meeting ID and password:

https://zoom.us/j/012345678?pwd=0123456

Surprisingly, this sorta worked. Navigating to this link will launch the Zoom client and prompt you for the meeting password, which suggests that the meeting ID but not the meeting password is being passed.

Since the host is a member of an organisation, I thought perhaps I needed to use the organisation-specific link, e.g.:

https://lacuna-technologies.zoom.us/j/012345678?pwd=0123456

However, this worked no better.

It was then I realised that the Zoom client is hashing or encoding the password URL parameter in some way. Instead of simply passing pwd=0123456, Zoom would pass pwd=ZGx3cTVHU1FHU0Q3LzhRK2lOV0RLdz09 for instance. Initially, since the length of the string was 32 characters, I thought it might be a simple MD5 hash. However, I quickly realised the length of the string wasn't fixed and might be 31 characters, or some other length. The last 3 characters appeared to be fixed though.

I also tried to base64 decode it. Sometimes, base64 decoding it twice would produce a string of alphanumeric characters, which suggested that a double base64 encode formed some part of the encoding algorithm (as also observed by participants of this thread). But clearly there were some other steps I was missing.

Sidestepping the problem

At this point I was getting a bit restless and attempting to reverse-engineer Zoom's encoding algorithm by trial and error seemed a bit too tedious an endeavour. I therefore settled for a simpler solution: simply use a deep link URL instead. Deep links generated by Zoom still appear to use a plain text password URL parameter instead an encoded one, so this allowed me to sidestep the encoding algorithm issue.

I'm not entirely sure why Zoom began encoding its meeting passwords. On the one hand, this does prevent passwords from being saved in plaintext in the browser history, or being displayed in plaintext in the address bar (which may have led to Zoombombing when people share a screenshot of their in-browser Zoom meeting). But on the other hand the password is still there — it's just encoded. If you have the meeting link that includes the encoded password you join the meeting just as easily as before. Maybe the length of an encoded password ensures that it is never fully visible in the browser address bar? But this could just as easily be addressed by generating longer passwords by default.¹

Anyway, a deep link like the following worked almost-perfectly:

zoommtg://zoom.us/join?confno=012345678&pwd=0123456

My sole nit-pick was that deep links aren't hyperlinked by default in some applications, like WhatsApp, Telegram, Microsoft Word, etc. Or worse, the bit beginning from zoom.us is hyperlinked only, so the link appears to be broken to less tech-savvy users.

My solution to this was to make a simple site that redirects you to the deep link and host it at a pretty URL, e.g. https://zoom-link.example.org:

<html>
<title>Convenient Zoom Link</title>
<body>
  <noscript>Javascript must be enabled</noscript>
  <script>
    const { userAgent } = navigator
    if (userAgent.match(/(Android|iPhone|iPad|iPod|Opera Mini|phone|mobile|tablet)/i)) {
      window.location.href = `zoomus://zoom.us/join?confno=012345678&pwd=0123456`
    } else {
      window.location.href = `zoommtg://zoom.us/join?confno=012345678&pwd=0123456`
    }
  </script>
</body>
</html>

This has the added benefit of opening the appropriate deep link on mobile.