Officials at Zoom have released tips for users of their video-conferencing platform to help avoid getting “Zoom-bombed” by trolls and even more serious threat actors during online meetings.
The developers of the online video-conferencing service cautioned users to avoid sharing Zoom meeting links publicly and widely on social media and to use some simple management tools within the system to help avoid scenarios in which uninvited participants disrupt meetings in unpleasant and threatening ways.
“As more people use our platform and host their virtual events using Zoom, we wanted to offer up tips to ensure everyone joining an event does so with good intentions,” according to a recent Zoom blog post on the topic. “Like most other public forums, it’s possible to have a person (who may or may not be invited) disrupt an event that’s meant to bring people together.”
The company posted in response to numerous reports of threat actors upending Zoom meetings with hate speech such as racist messages, threats of sexual harassment, and pornographic images that drive meeting participants offline or force the meeting to be abruptly cancelled. Some of the attacks have even go so far as to threaten those attending the meeting with physical harm.
Zoom has become the de facto platform for the post-Covid-19 business environment as the pandemic has forced workers to stay at home while still conducting every-day business.
Organizations ranging from corporations to small businesses to schools to fitness instructors and even therapists are now meeting clients online using Zoom amid the quarantine and stay-at-home orders that have rolled out globally in the wake of the coronavirus’ rapid spread.
Our video call was just attacked by someone who kept sharing pornography + switching between different user accounts so we could not block them. Stay tuned for next steps. And I am sorry to everyone who experienced. We shut down as soon as we could.
— Jessica Lessin (@Jessicalessin) March 20, 2020
However, it didn’t take long for threat actors to sabotage this new way of conducting business by using public links to hop on meetings to shock, taunt or scare users.
In one such episode in California, unknown participants crashed a school-district Zoom meeting with chants of the N-word, cackles, pornographic images, and even threats that they would find out the home addresses of the attendees. Another Zoom-bombing occurred during a meeting hosted by Mexican food chain Chipotle, which experienced disruption by a pornographic image, one of the attendees reported on Twitter.
A journalist and contributor to the New York Times Kara Swisher and collaborator Jessica Lessin were forced to shut down a Zoom meeting about challenges women tech leaders face after just 15 minutes because a participant bombed it with the shock video “2 Girls One Cup,” Lessin reported on Twitter. The uninvited participant switched between accounts so the hosts could not block the disruption, she said.
The problem has become prevalent because the ease of which anyone can join a Zoom meeting if they know the meeting link, which means hosts need to set some specific parameters to help prevent Zoom trolls from gaining access, according to Zoom.
The company warned Zoom users to be careful when sharing links via social media and try to ensure only trusted colleagues or participants can join the meeting. Officials also advised that people avoid using their Zoom Personal Meeting ID (PMI) to host events.
“Your PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over,” according to the blog post.
Other ways to prevent Zoom bombing is to use the Waiting Room feature, which allows hosts of the meetings see participants in a virtual staging area so they can be vetted and so they can’t join the meeting until the host gives the green light, according to the post.
Other management features in the platform that are helpful to mitigate such attacks include only allowing participants to log into Zoom with an email through which they were specifically invited to the event; locking the meeting once all invited participants have joined so no one else can jump on; using a “remove” feature to kick off unwanted participants that do manage to join; and disabling the video of a participant so a nasty broadcast can be cut off.
Moreover, Zoom meeting hosts don’t even have to send out a public link for users to participate in their meetings, according to the post. Hosts can instead generate a random Meeting ID when scheduling an event and require a password to join, according to the blog post.
While meeting IDs can be shared on social media such as Twitter, a user would need a password sent by the host using a direct message to actually join the meeting online, providing more protection against unwanted visitors, the company said.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.