https://www.sikich.com

Zoom Security and Preventing Zoombombing

Geoff Whidden

May 14 2020

3 min read

With the rapid increase in the use of video conferencing associated with social distancing to cope with COVID-19, the video conferencing application Zoom has seen rapid growth in the last month.

Although there are consumer versions of Zoom available, the main market was originally corporate clients, where Zoom would be further configured by the corporate IT staff. The mass adoption of Zoom for consumers has resulted in the discovery of some important security flaws in the product, particularly if not further configured, as most consumers will not be.

The most serious of these flaws could result in the disclosure of the Computer User credentials to a remote computer through the Zoom client chat by posting a specifically formatted link. The credentials will include the username and the user HASH, which could be used to obtain the user’s password. In the case of a company computer on a Windows Domain, this would be the employee’s corporate account information—a significant issue.

Fortunately, Zoom was very quick in addressing the vulnerability, and it no longer exists.

How to Prevent Zoombombing

At first, Zoom allowed uninvited guests to join any Zoom session. This has been termed in the media as Zoombombing. It is tied to the public nature of the default conference settings in Zoom. Each Zoom meeting has a Meeting ID, and unfortunately, the Meeting ID is only a 10 digit number. The 10 digit ID is the only information required to access a meeting, even if someone is not directly invited to the meeting.

So, if the meeting ID is widely shared, almost anyone can join the meeting. Additionally, each Zoom account has a Personal Meeting, with a Personal Meeting ID. It is also a 10 digit ID and does not change. Therefore, if you share your PMI, that person will be able to join any additional meeting.

Zoom has made several recommendations to combat this:

Set Passwords on each meeting.
Do not use your Personal Meeting ID.
Do not post Meeting IDs in public areas.

While writing this blog post, I set up a few meetings in Zoom, and new meetings now have a password by default. This shows that Zoom is addressing the issue. However, we would still recommend that all users review their Zoom settings to verify that this is their default and review old meetings to ensure that passwords are set on them.

Have any questions about Zoom security and keeping video conferencing in general secure? Please reach out to us at any time.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Geoff Whidden

As a Solution Architect, I design data networks for small to medium organizations (5-500 seat). Emphasis is on platform and applicatiton cloud services. I currently manage the network Solution Architects at Sikich and am the technical lead and Cloud Soltuion Architect for the Microsoft Azure Practice. Specialties: Microsoft Azure, Office 365, Windows Server, Hyper-V, Windows Failover Cluster, Active Directory, Windows Server, Exchange, SQL, Cisco ASA Firewalls, Switches and Routers