Definition

Zoombombing

Corinne Bernstein

By

Corinne Bernstein

What is Zoombombing?

Zoombombing is a type of cyber-harassment in which an unwanted and uninvited user or group of such users interrupts online meetings on the Zoom video conference app.

This disruption occurs when intruders gate-crash digital gatherings -- sometimes for malicious purposes, such as sharing pornographic or hate images or shouting offensive language -- without the host's permission.

The Zoom cloud platform offers video and audio conferencing, collaboration, chat and webinars via mobile devices, desktops, telephones and room systems and is the signature offering from Zoom Video Communications Inc., a publicly traded company founded in 2011.

Recognizable by its grid view that lets participants see everyone on a call at once, Zoom became popular because of its ease of use and installation, as well as its freemium pricing model.

With the COVID-19 virus outbreak in early 2020, demand for the Zoom video conferencing app surged to unprecedented levels as business meetings, classes and even family gatherings shifted online, and users sought ways to stay in touch virtually while social distancing.

As the number of Zoom meetings increased, reports of Zoombombing followed.

How Zoombombing works

In a March 2020 warning about Zoombombing, the Federal Bureau of Investigation (FBI) advised individuals transitioning to online meetings and classes to practice "due diligence and caution in [their] cybersecurity efforts." The FBI recommended keeping video conferences private and avoiding openly posting links to online gatherings on social media platforms, such as Twitter or Facebook. Hosts should provide links to specific invitees only, experts advised.

Conferences are vulnerable to Zoombombing when they are hosted on public channels shared over the internet through meeting URLs, making them easily accessible to unwanted trolling. If hijackers can figure out the correct URL or meeting ID for a public Zoom session, they can gain access to the meeting. A basic Google search for URLs containing "Zoom.us" can unearth unprotected links of meetings; plus, links to public meetings may be available on organizational pages on social media.

In addition, if Zoom screen-sharing privileges are not set to "host only," uninvited guests can share disturbing images or potentially malware. Also, a remote-control feature lets users take control of another participant's screen in a meeting. A user can either ask for remote control of another participant's screen, or the other participant can grant control to a user.

How to prevent Zoombombing

To avoid interruptions from Zoombombers, a conference host should use a one-time meeting ID and not a Personal Meeting ID -- a 10-digit number that someone could use to join the meeting without an invitation. Organizers should also require users to enter a passcode to join the call.

An additional protective feature is Zoom's Waiting Room, where the host must admit attendees. To activate Waiting Room, sign into the Zoom web portal, click Meetings and select a meeting topic or schedule a new meeting. Select Enable Waiting Room under Meeting Options.

Zoom has encouraged those hosting large, public group meetings to adjust their settings so that only they can share their screens. To ensure only the host of a meeting can share a screen, tap the Share Screen button, and select Advanced Sharing Options.

After the meeting has begun and all attendees are present, the host can lock the virtual room. Using the "More" menu to mute all participants as they enter and not allowing participants to unmute themselves can also help prevent disruptions. The host can remove participants by hovering over their names.

If a Zoom meeting is hijacked, users can let the company know. In a software update, the company added a "report a user to Zoom" button. This feature can produce a report to be "sent to the Zoom Trust and Safety team to evaluate any misuse of the platform and block a user if necessary," according to the company.

Zoom security updates

To help boost video conferencing privacy and security, users should employ the latest version of remote access/meeting applications, the FBI recommended.

In a January 2020 Zoom update, the company added password protection by default for meetings and disabled the ability to randomly scan for meetings to join.

In late April 2020, Zoom further tightened security with the release of new encryption and privacy controls to help prevent the hijacking of online meetings. The video conferencing platform now enables hosts to report a user to Zoom with a security button. Additionally, the app now sends users by default to a waiting room, where they must wait for approval to enter a meeting. A password is also necessary to enter all meetings.

In May 2020, Zoom upgraded its application encryption standard to Advanced Encryption Standard 256-bit Galois/Counter Mode. This adds a layer of privacy and minimizes the likelihood of video conferences being hijacked.

In the fall of 2020, Zoom settled a Federal Trade Commission complaint alleging the company had engaged in "deceptive and unfair practices" for years by falsely claiming to protect user communications with end-to-end encryption (E2EE).

Around that same time, the company added an E2EE option. In 2021, Zoom settled an additional class-action privacy lawsuit, denying wrongdoing but agreeing to compensate individual users and small business accounts for its allegedly false security claims.

A sender uses a recipient's public key to encrypt a message. The recipient uses the corresponding private key to decrypt the note. — With end-to-end encryption, only the participants' devices can decrypt content. That means even Zoom can't hear or see E2EE meetings or recordings.

In addition to Zoombombing, the app was criticized for other vulnerabilities, including one in which a hacker could take control of a user's computer. Seeking to address security issues, Zoom has enhanced its bug bounty program to encourage security professionals to alert it to potential bugs. Zoom continues to issue patches as it uncovers new security vulnerabilities, and the company encourages users to keep their Zoom software up to date.

Zoom's success at addressing security and privacy issues will have a major impact on the application's success in the long run.

Another challenge Zoom faces is growing competition from Facebook, Google and Microsoft, as well as Cisco Webex, LogMeIn, GoToMeeting, BlueJeans and Arkadin Cloud Communications.

Editor's note: This definition was written by Corinne Bernstein in 2020. TechTarget editors revised it in 2023 to improve the reader experience.

This was last updated in December 2023

Continue Reading About Zoombombing

Zoom launches Okta Authentication for E2EE to verify identity

Where do Zoom recordings go? How to find saved recordings

Securing a remote workforce amplifies common cybersecurity risks

Common problems with hybrid meetings and how to fix them

Zoom etiquette: Tips for better video conferences

Dig Deeper on Application and platform security

Search Networking

How AIOps enables next-generation networking
As networks grow more complex, management becomes more difficult. AIOps can help network administrators transition to and manage ...
BGP routing: A configuration and troubleshooting tutorial
BGP is the internet's core routing protocol, enabling communication between ISPs and large networks. This guide covers its ...
Cisco Live 2025 conference coverage and analysis
Cisco Live 2025 will largely focus on the need to modernize infrastructure with AI capabilities. Use this guide to follow along ...

Search CIO

Proposed U.S. budget cuts raise fears about tech innovation
President Donald Trump's proposed FY 2026 budget slashes funding for federal agencies, including NSF and NIST, which support tech...
RIT showcase offers glimpse of early tech innovation cycle
Connected vehicle security, AI and 3D printing were among the technologies featured at Imagine RIT, an annual exhibition focusing...
Contempt order worsens Apple's antitrust woes
A federal judge found Apple to be in contempt of an injunction ordering the company to make access to alternative payment options...

Search Enterprise Desktop

How to create a custom Windows 11 image with Hyper-V
When administrators can deploy Windows systems in many ways, creating a custom VM with Hyper-V enables them to efficiently deploy...
End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

ComputerWeekly.com

Tackling the UK’s cyber threats
In this week’s Computer Weekly, we report from the National Cyber Security Centre’s annual update on the state of UK security and...
Connectivity kicks in for Sunderland at the Stadium of Light
Sunderland AFC enhances high-demand density connectivity coverage, capacity and performance across stadium involving leading ...
Standard Chartered grounds AI ambitions in data governance
The bank’s group chief data officer, Mohammed Rahim, outlines how the bank is modernising its data infrastructure and governance ...

Close