A Look Inside The Weird World of Zoom Bombing
With the advent of the coronavirus era, more of us than ever before are availing of the excellent Zoom video conferencing service.
Unfortunately although there is a huge amount of excellent material on Zoom that can be found through a simple keyword search (zoom.us/j should bring up a ton) there are unfortunately also hordes of malicious internet trolls who are looking for meetings to inject with racist abuse, pornographic images, and other unwelcome additions.
Thankfully, Zoom has plenty of security features to prevent this from needing to be a concern for hosts.
Here are some of them — and here’s how well Zoom Bombing is currently being coordinated.
Lesson 1: Never Share Your Invitation Link Publicly
If you’re interested in seeing what will happen if you do publicly tweet your next Zoom conference join link, then watch the above video from 10:10.
If you don’t then here’s the answer: a lot of trolls will join. And quickly!
10 seconds after tweeting Zoom link:
20 seconds after tweeting Zoom link:
There are two credentials that will give Zoom Bombers immediate access to your next Zoom meeting and which you never — under any circumstance — be publicly shared. These are:
- Your Personal Meeting ID (PMI) — This is essentially a continuously rolling meeting associated with your Zoom account. It’s useful for when you don’t want to have to send participants different credentials every time you host a meeting with them. If you expose this credential publicly, then you will likely be flooded in randomers on an ongoing sporadic basis.
- Your Zoom invitation link.
If you pull a link like this out of the web UI then you’ve probably noticed that this URL actually contains all the elements needed to join the meeting with one click. In fact, that’s the whole point!
The link contains both the meeting ID and a password key.
Tweeting your join password in this manner basically invites anybody in the entire world to join your Zoom conference as soon as you hit the start button.
And yet the volume of users that send these links over Twitter is staggering.
To find them, simply search for:
The results will be a mixture of unfortunate users who think that they are simply publicizing their next conference (without giving the world access) and bored teenagers deliberately attempting to sabotage their classes.
Here’s a bored teenager trying to sabotage an online class:
And here’s somebody who doesn’t realize that they’ve just invited the entire internet to their next school board meeting:
Where Zoom Bombing Is Being Coordinated: Reddit and Discord
Zoom Bombing is a multi-faceted endeavor.
Although it can be used by bored teenagers to intentionally disrupt their online classes, it also has a more nefarious side.
Zoom Bombing has been used to facilitate:
- Racial abuse;
- The deliberate disruption of legitimate Zoom meetings (such as AA meets) by flooding the meeting with malicious participants;
- The recording of minors by sex predators.
Those engaging in Zoom bombing refer to themselves as “Zoom raiders” and the activity as “Zoom raiding.” So if you want to find out how the “pros” are getting in on the action, it helps to search for these terms.
(Note: if enforcement steps up then the internet will probably invent a moniker for “Zoom raiding” and coordination might move to the dark web. Although given that Zoom raiding simply involves taking advantage of other people’s negligence it’s hard to see on what basis the activity could be banned.)
Although anybody that knows how to type zoom.us/j into a Twitter search is capable of finding a massive volume of unprotected Zoom links, the activity needs to be coordinated with other Zoom raiders to maximize disruption.
That activity is generally coordinated on some of the usual hacker haunts: Reddit and Discord.
Here are a few subreddits for posting Zoom links. At the moment, they’re springing up about one a day:
And here’s inside a Discord server. These appear to be getting shut down by Discord but — like subreddits — a new Discord server can spring back up virtually instantaneously.
Participants circulate open Zoom links and then coordinate when to join and what to do:
How To Protect Your Zoom Meetings
For all the media attention Zoom Bombing has gotten over the past few days, preventing your next meeting from falling victim is actually really simple.
Although there are hackers working on Zoom meeting ID randomizers, because a join password is required by default (do not take off that setting!) these have relatively little likelihood of working.
So the only real way to have your next meeting Zoom hacked is if you publicly share your Zoom link.
So don’t do that.
To not fall victim to a Zoom Bomb you should:
- Never share your Zoom join link over a public-facing forum — such as Twtter.
- Enable a waiting room, enable mute participants upon join, and screen anybody whose name you don’t recognize.
- Remove trolls.