“Zoombombing” is when an uninvited person joins a Zoom meeting. This is usually done in an attempt to gain a few cheap laughs at the expense of the participants. Zoombombers often hurl racial slurs or profanity, or share pornography and other offensive imagery.
This issue isn’t necessarily a security flaw. The problem is how people handle public Zoom meeting links. These links are shared thousands of times between clients, friends, colleagues, classmates, and so on. Careless handling of them can result in a Zoom meeting being open to public access. Then, anyone who finds the link can join an in-progress meeting.
Public Zoom meeting links have even reportedly shown up in the results when people search for “zoom.us” on Google. Anyone who finds such a link can join that meeting. And yes, Zoombombing is illegal in the U.S.
How to Protect Yourself
It didn’t take Zoom long to react to Zoombombing. On April 5, 2020, the company announced some features that could improve security would be enabled by default. Still, it’s best to be proactive and take the necessary steps to protect yourself.
Zoom has a settings menu you should visit before you start a meeting. After you log in on Zoom’s website, click the “Settings” tab in the pane on the left.
You’re now in the “Meeting” tab of the settings menu.
Features You Should Disable
There are many useful features here, but we recommend you disable the following to protect your meeting:
- “Embed Password in Meeting Link for One-Click Join”: This encrypts the password in the “join meeting” link. To join a meeting, all anyone has to do is click the link, which completely defeats the purpose of requiring a password. Turn off this feature for security.
- “Screen Sharing”: This allows the host and participants to share their screens during the meeting. You can either completely disable this or allow only the host of the meeting to share his screen. Disabling this prevents people from sharing inappropriate content during the meeting. They’d have to actually hold an image up to the webcam, rather than simply pull it up on their desktop.
- “Remote Control”: This allows someone who is sharing her screen to let other participants take remote control of her system. Disable this feature if you don’t need it.
- “File Transfer”: Allows meeting participants to share files in the meeting chatroom. Disable this if you don’t want files to be shared. Alternatively, you can select the “Only Allow Specified File Types” option to ensure that people can only share certain types of files.
- “Allow Participants to Rename Themselves”: If a Zoombomber doesn’t have access to the chatroom, they can get their message across by typing it as their name. Disable this to remove that option.
- “Join Before Host”: This allows people to join a meeting before the host arrives. Don’t let Zoombombers beat you to your own meeting. It’s disabled by default.
- “Allow Removed Participants to Rejoin”: If this is enabled, participants you kick out of a meeting can rejoin. Disabled so that once a Zoombomber is gone, he’s gone for good. It’s disabled by default.
Features You Should Enable
The following are some features we recommend you enable to improve your security:
- “Mute Participants Upon Entry”: If someone does Zoombomb your meeting, you can shut them up before they even have a chance to speak. You can decide later who gets to talk.
- “Always Show Meeting Control Toolbar”: Turning this on means you’ll have quick access to the controls during a meeting.
- “Identify Guest Participants in the Meeting/Webinar”: This identifies who belongs in your group, as well as any attendees who join as guests.
- “Waiting Room”: Force all attendees to experience Zoom purgatory by placing them in a waiting room before they’re able to join the meeting. The host can then decide if they can join or not. As of April 5, 2020, this feature is enabled by default.
- “Require a Password When Scheduling New Meetings”: Force people to type a password before they can join a meeting. This way, even if someone finds the link, they can’t join without the password. This is also now enabled by default.
It’s up to you to protect yourself and your meetings. While these options aren’t necessarily bulletproof—if someone shares a link and password publicly, you might still get a Zoombomber in the waiting room—they provide a lot of protection.