To stop a wave of hijackings, Zoom is requiring passwords on all previously scheduled meetings, and also enabling the “Waiting Room” feature for whenever you host a video session.
The change will take effect on Sunday as the company’s video conferencing software has become the target of pranksters and racists, who’ve been infiltrating Zoom sessions to embarrass and harass unsuspecting users.
The company quietly created an FAQ page about the upcoming change on Thursday. Then today, Zoom began to email users about the new security enhancements, which was first noticed by Techcrunch.
“If your attendees are joining via a meeting link, there will be no change to their joining experience,” the email says. “For attendees who join meetings by manually entering a Meeting ID, they will need to enter a password to access the meeting.”
The password requirement may be in response to a Thursday report from security journalist Brian Krebs about how security researchers had created a tool to find Zoom meetings that have no password protection in place. Because meeting IDs for Zoom sessions only consist of 9 to 11 digits, you can automate a process to randomly test for valid Zoom meeting IDs, and thus gain access.
According to Krebs, in one day of scanning, the researchers were able to turn up nearly 2,400 Zoom meetings — all of which could be easily hijacked to spy on users or harass them.
However, the decision to turn on the Waiting Room feature for all users will probably make the biggest difference in stopping the hijacking incidents. It works by requiring the host to admit which guests can enter a video meeting, making it a handy tool to keep out unwanted guests.
Indeed, hijackers are learning both the meetings IDs and passwords to Zoom sessions due to people posting the details on social media or in online chats. Shareable URLs for upcoming Zoom meetings can also contain the password inside the link. This makes it easy to access a meeting with simply one click, even if the URL ends up in the wrong hands.
“We highly recommend using this (Waiting Room) feature to secure your meetings and prevent unwanted participants if a link is shared outside of the intended participants,” Zoom said in the FAQ.
However, the Waiting Room feature does come at the cost of some convenience. Once the change takes effect, a host of a Zoom meeting will need to manually admit who can attend a video session. Nevertheless, users can choose to disable the function by going into their account settings.
For Zoom users who’ve been scheduling meetings without passwords, the company says you’ll need to send the invitation out again, which will now include the password. Or you’ll have to send the invitees the password yourself.
“To resend the meeting invitation, click Copy Invitation in your Zoom desktop client in the Meetings tab. You can also click Copy the Invitation on the Meeting detail page of the Zoom web portal,” the FAQ page says.
Further Reading
- Zoom's Encryption Keys Are Sometimes Being Sent to China, Report Finds
- Zoom: Rush of WFH Users Exposed Security, Privacy Flaws We Plan to Fix
- Were You Zoom-Bombed? Video of It May Now Be on YouTube, TikTok for All to See
- Amid Pandemic, Microsoft Alerts Dozens of Hospitals Vulnerable to Ransomware Threat
- More in Security