Amid the ongoing COVID-19 pandemic, millions of people around the world have been forced into their homes. As industries shut their doors, tens of millions are working from home. We have seen how this has resulted in a surge of usage across services, such as Microsoft Teams and Slack. Zoom is one of those services. The online video-conferencing platform has seen a major uptick in its userbase. Clearly, the software provides an important tool for people stuck at home who need t conduct meetings. However, trolls and attackers have seen an opportunity to exploit people on the service. Zoom says users should avoid sharing meeting links from the platform on social media or publicly. Furthermore, the company has advised users on simply settings changes that can stop Zoom-Bombing. “As more people use our platform and host their virtual events using Zoom, we wanted to offer up tips to ensure everyone joining an event does so with good intentions,” according to a recent Zoom blog post. “Like most other public forums, it’s possible to have a person (who may or may not be invited) disrupt an event that’s meant to bring people together.” Users have been reporting cases where bad actors were accessing Zoom meetings. When doing so, the unknown parties were leaving sexist remarks, racist messages, and pornographic images. The activity gained enough traction across the platform that it gained its own name… Zoom-Bombing.
Big Bombs
Some of the attacks have been persistent enough that meetings have been called off and participants have left. It seems all the threat actors need to join a meeting is a link. Many people post publicly as invites to other meeting participants. Jessica Lessin was in a meeting with New York Times contributor Kara Swisher that was Zoom-Bombed. On Twitter, Lessin said the meeting was abandoned after a bad actor posted the shock porn video “2 Girls One Cup”. She adds the third party was switching accounts and could not be blocked from the meeting.
— Jessica Lessin (@Jessicalessin) March 20, 2020 Zoom has warned users not to make meeting links public, limiting invites to trusted people or those who are wanted in the meeting. Furthermore, the company says users should not share their Zoom Personal Meeting ID (PMI) when hosting. “Your PMI is basically one continuous meeting and you don’t want randos crashing your personal virtual space after the party’s over,” according to the blog post. Elsewhere, the California-based company says meeting hosts should use the Waiting Room setting. This gives hosts a virtual staging area where they can see who has entered a meeting and manage their inclusion before the meeting is underway.