Skip to main content

Inside job: Why Zoombombing isn’t as random as you might think

OLIVIER DOULIERY/AFP via Getty Images

Last year wasn’t exactly short of threats facing humanity, but “Zoombombing” was an especially 2020 kind of disruption, one that sought to hijack one of the most prominent means of communication by which people stayed in touch with everyone from co-workers to friends and family during lockdown.

Zoombombing, for those unfamiliar with it, works like this: An unwanted participant or participants access a Zoom call without being invited, against the wishes of the participants, and cause problems. One Massachusetts-based high school’s Zoom session was hijacked by an individual who screamed profanities and then shouted the teacher’s home address. On social media, some users reported that their Zoom session had been taken over and used to show pornographic content.

Zoom, whose usage exploded during the pandemic, was suddenly at the center of what appeared to be a glaring vulnerability problem: It was as if the leading manufacturer of front door locks revealed a high failure rate during a home invasion epidemic.

But researchers from Binghamton University in New York say there’s more to this story than meets the eye. According to a world’s-first study they have carried out, the majority of Zoombombing incidents are actually inside jobs. To draw an analogy with creepy campfire stories about terrified babysitters: “The calls are coming from inside the house.” Well, kind of.

“There were a lot of people that thought that maybe this was some kind of clever hacking, or else [the result of attackers] finding people that would accidentally post Zoom links on social media or sending out email blasts,” Jeremy Blackburn, an assistant professor of computer science at Binghamton University, told Digital Trends. “[People figured it was] these outsiders who were randomly showing up, somehow finding a link to a meeting. It was an act of attack that the Zoombombers were perpetuating, just by themselves.”

Lone wolves, online packs

Blackburn’s major research interest, his university website profile notes, involves “understanding jerks on the internet,” from toxic behavior and hate speech to fringe and extremist web communities. He was intrigued by the rise of Zoombombing as a phenomenon, but also not entirely convinced by the theories.

How were they getting in? They could be brute-forcing the call IDs, but given the size of the search space, it seemed unlikely that they would be able to consistently find active calls to target. And while human error was certainly possible, in terms of people leaving Zoom links lying around, this also seemed improbable.

To quote Sherlock Holmes’ popular aphorism: When you have eliminated the impossible, whatever remains, must be the truth. Or, in this case, if people aren’t breaking into Zoom calls on their own, someone on the call must be willfully letting them in.

“As it turns out, what we found is that Zoombombings were perpetuated by people that were legitimately in the call,” Blackburn said. “What would happen is that [a member of the call] would go ahead and share the meeting link on some fringe websites and say, ‘Hey guys, show up and, you know, say the ‘N-word’ or whatever in the call.’ Pretty much every time, it was a student asking people to come [and] Zoombomb lectures. They would also do things like say, ‘Hey, use this name when you connect, because that’s the name of somebody else in the class.'”

OLIVIER DOULIERY/AFP via Getty Images

To reach this conclusion, the researchers scoured tens of millions of social media posts, uncovering more than 200 calls for Zoombombing between Twitter and 4chan during the first seven months of 2020 alone. Between January and July that year, they identified 12,000 tweets and 434 4chan threads that discussed online meeting rooms, then used thematic qualitative analysis to identify the posts calling for Zoombombing. As Blackburn noted, the majority of the calls for Zoombombing in their dataset targeted online lectures, with evidence of both universities and high schools being the most heavily targeted groups.

In addition to Zoom, they also found evidence of similar “bombing” attacks on other popular communication platforms including Hangouts, Google Meet, Skype, Jitsi, GoToMeeting, Microsoft Teams, Cisco Webex, BlueJeans, and StarLeaf.

“[For a company like Zoom], unless they perform the type of investigation we did, on their end it seems really difficult to detect this type of thing,” Blackburn said. “Because it’s not really a technical vulnerability. It’s kind of a sociotechnical vulnerability … If they were just looking at traffic [or whatever other] metrics they have, I’m not sure it would be possible to purely detect this. You would need a study like ours that goes out and specifically tries to understand how this sociotechnical problem is unfolding.”

(Digital Trends reached out to Zoom for comment, and we will update this story when we hear back.)

Security trade-offs

The results pose a challenge for communication platforms like Zoom. Their ease of use makes them appealing. Just click a link and you’re suddenly talking to your friends or joining the morning huddle at work. But this also necessitates lowering security measures that could eradicate this behavior.

“Anything involving security is always kind of a trade-off between ease of use and the robustness of the security,” Blackburn said. “I don’t think people [would want to] go through a whole process of registering individual users and creating one-time links [in a more time-intensive manner]. It’s much easier, and much more straightforward for non-tech-savvy people, to just have a link, click it, and it opens the program. That is certainly a big reason that Zoom gained the type of adoption it did. If it would have had a much more complicated, but secure, registration system, I would imagine something else would have [become] the dominant application.”

Zoom does offer passwords as a login option. However, given the complicity of users, they would seem unlikely have to blocked Zoombombers with the right advanced knowledge. The same is true for waiting rooms, in which the host must manually approve people for entrance. While this would seem to be a more secure option, they are insufficient if the Zoombombers name themselves after people in a class in order to confuse the teacher or lecturer. (Thanks to a recent update, hosts can, however, pause their meetings to manually remove troublesome participants.)

Blackburn describes Zoombombing behavior as “raiding,” and says that it has always been a part of online life. “Now, it’s using Zoom, but if you go back even to the IRC days (read: Internet Relay Chat, an early text-based chat protocol created in 1988), there were [online] wars where people would try and take over different channels,” he said. “Any time you have computer-mediated communication on the web … [that’s] instant and semi-anonymous, you’re going to have people that get into conflict and attempt to disrupt things. In that sense, it’s not new, it’s the same basic sociotechnical problem with the internet. If there’s an available mechanism to cause trouble, somebody’s going to cause trouble.”

In addition to Blackburn, other researchers on the project include Chen Ling, Utkucan Balcı, and Gianluca Stringhini. A paper describing the work, titled “A First Look at Zoombombing,” is available to read online.

Luke Dormehl
I'm a UK-based tech writer covering Cool Tech at Digital Trends. I've also written for Fast Company, Wired, the Guardian…
JPEG vs. PNG: When and why to use one format over the other
A person using Adobe Lightroom CC on an iMac.

In digital imaging, two image formats prevail above all else: JPEG (or JPG) and PNG.

At first glance, a single image shown in both formats might seem identical, but if you look closely enough and dig into the data, there is quite a difference between them. One format isn't always better than the other, as each is designed to be used in specific circumstances based on your needs for image quality, file size, and more. Here's what you need to know about both formats to make the most of their strengths and weaknesses.
What is the JPEG format?
Short for Joint Photographic Experts Group -- the team that developed the format -- JPEG has become the standard compressed format in digital photography and online image sharing due to its careful balance of file size and image quality.

Read more
Is there a Walmart Plus free trial? Get a month of free delivery
Walmart logo.

Take a moment and think about how often you shop at your local Walmart. Is it weekly? Daily? If either of those is the case, it might be time to upgrade your shopping experience. The Walmart Plus free trial is your chance to check out what the retail giant has to offer. Walmart Plus is basically Amazon Prime for Walmart. You get free shipping on most orders, early access to deals and new product drops (like PS5 restocks), the best grocery delivery, and more. If Walmart is your go-to option for the best smart home devices or the best tech products in general, you should get a membership. If you want to test out the service, you can sign up for a free trial. We have all the information you need right here.
Is there a Walmart Plus free trial?
There is a Walmart Plus free trial available, and it’s one of the best free trials we’ve seen in terms of how many great features and conveniences you’re able to access. This is really a reflection of how great the Walmart Plus service is, as the Walmart Plus free trial is essentially a 30-day experience of what it would be like to be a paid Walmart Plus subscriber. A Walmart Plus membership can help you save over $1,300 per year, so taking advantage of the 30-day free trial is a great way to get in there and see what those savings will look like. And if grocery delivery is what you're really after, an alternative you might consider is the Instacart free trial -- they have more than one program to try!

As part of a Walmart Plus free trial, you’ll get free shipping with no minimum order, so even small orders will qualify for free shipping. You’ll get fresh groceries and more with no delivery fees, and all at the same low in-store prices Walmart shoppers are used to. Walmart Plus members, and Walmart Plus free trial members, get exclusive access to special promotions and events, as well as a savings of up to 10 cents per gallon on fuel. A new addition to the perks of being a Walmart Plus member is free access to Paramount Plus, a top-notch streaming service with more than 40,000 TV episodes and movies. All of this is accessible for 30 days through a Walmart Plus free trial, and once those 30 days are up, Walmart Plus is just $12.95 per month or $98 annually.

Read more
The 13 best early Black Friday deals you can shop this weekend
Digital Trends Best Black Friday Deals

Even though Black Friday is still a couple of weeks away, we're already starting to see a lot of great deals on several different types of products. So, if you can't wait for the upcoming Black Friday and need to grab a few things now, we've collected some of our favorite deals across products and budget ranges to make your life a little bit easier. Below, you'll find deals on cordless vacuums, laptops, TVs, headphones, and phones, so it's a great collection of stuff that we think you'll find useful and want to grab. That said, if you can't find what you want, be sure to check our main Black Friday deals page for even more great offers.
Wyze Cordless Stick Vacuum -- $98, was $150

While budget cordless vacuum cleaners can sometimes not be that great, we found the Wyze Cordless Stick Vacuum to be surprisingly good for its price point. At just 2.8 pounds of weight, it's light enough that you won't feel like you're doing a workout every time you use it, and it is great for those who might have issues with arm weakness. Just because it's light doesn't mean it's not powerful, though, with two motors providing 24,000 pascals of suction, which is quite a lot at this price. It also has a HEPA filter to keep the air you breathe clean while vacuuming, which is impressive, but sadly, it does have a big downside in that it only lasts for about 50 minutes of vacuuming. That's not necessarily a dealbreaker, and you can buy a backup battery, but it's an important thing to note.

Read more