Beginning Sunday, Zoom will begin requiring passwords and enabling virtual waiting rooms by default in an attempt to tamp down on the flood of troll attacks that’s accompanied its ballooning userbase in the wake of the covid-19 pandemic.
The multibillion-dollar video messaging platform’s userbase has jumped from 10 million people at the end of last year to more than 200 million in March, revamping Zoom from an enterprise mainstay into a household name as an increasing number of people begin working remotely and adhering to social distancing guidelines. And with that success, the company is discovering, comes a lot of unwanted attention—particularly from teenage pranksters who are bored out of their minds in self-quarantine.
It’s led to so-called “Zoom bombings” wherein malicious actors join random video meetings and broadcast graphic porn and violent imagery. Since Zoom meetings are set to public and allow any participant to screen-share by default, it’s easy for any internet rando with a link to hijack a virtual classroom or city council teleconference with disturbing video clips.
Zoom aims to change that with a bevy of new security measures. Per a Saturday blog post, the company announced that meetings will now have Zoom’s Waiting Room feature enabled automatically so that hosts can more easily screen participants before allowing them to join. It’s a standard measure rolling out to all users after Zoom began making the feature default for virtual classrooms on Tuesday. Although Zoom began making the feature a default setting for its virtual classrooms on Tuesday, it will roll out for all users beginning Sunday.
Teleconferences will now be password-protected by default as well, which comes with several stipulations.
“For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL,” the company wrote in an email to users, as first spotted by TechCrunch.
Most importantly, though, it means people who try to manually join by using a Meeting ID—tags that trolls frequently scrape from social media and share for coordinated raids—will be required to enter a corresponding password as well. It may not squash “Zoom bombings” entirely, as some particularly tenacious hackers could still somehow uncover and circulate both a meeting’s ID and password, but it’s a step in the right direction for curbing the practice.
Zoom also plans to implement an option for end-to-end encryption in the coming months, CEO Eric Yuan recently told the Wall Street Journal—something Zoom previously claimed to feature until several cryptographers called bullshit. In the report, he also reaffirmed a public apology issued Friday for these security failures.
“I really messed up as CEO, and we need to win their trust back. This kind of thing shouldn’t have happened,” Yuan said.
Zoom’s failure to match its exponential growth with essential cybersecurity measures is not only widely considered irresponsible—it’s also attracted the attention of several U.S. authorities. In the last week, the state attorneys general of both New York and Connecticut launched inquiries into Zoom’s practices, and the FBI issued an official warning regarding the company’s lax security.