Zoombombing Security Bug!

Abstract

I want to protect my zoom meeting by disabling invite button for attendees.

My Story:

I have a web application which has a Web SDK embedded. I am using disableInvite option in Web SDK.:white_check_mark: It works as I want and no problem with that except Web SDK is not suitable for mobile users. Therefore I have to use URL schemes to allow the mobile users to redirect to their zoom app which installed in their mobile device to join to my meeting. Upto this point everything was like a paradise.

I have purchased large meeting add-on and I have the limitation for number of attendees who can join my meeting. So I pay to zoom for all the attendees who are joining to my zoom meeting.

Problem:

Any attendee can simply invite their dog or cat who has a zoom account. How fair is that? I have bought 500/1000 attendee package to have the control of my meeting as a host. But zoom DOES NOT provide me any option to disable the invite button for attendees. :disappointed_relieved: :disappointed_relieved: :disappointed_relieved:

This is a MAJOR BUG! :warning: People have discussed this security hole here, here and here.

Suggestions by zoom so far

I have spent days to find out a way to achieve my requirement. Zoom Web SDK provide a option to hide the ‘invite’ button. Yey! This is what I wanted. But zoom URL schemes do not have option on this. So all my mobile user attendees can RUIN my meeting.

Lock meeting option is nice but it is not the solution to my problem. Because what if one of my attendee lost their internet connection and wants to join back to the meeting? It is a complete distraction to the meeting host. (My meeting has around 900 participants.)

Enable waiting room is also nice but this is completely a different feature. As I told I have 900 participants and host cannot accept all 900 participants mannually. I know there will be an up coming new feature called auto_admit_participants_with_specified_domains. This will not help me. :triangular_flag_on_post: Because the attendees can have any email address. abc@gmail.com, xyz@yahoo.com etc

Summary

Dear zoom + @tommy @Carson_Chen @Michael_Purnell
I am asking one thing. :one:
Just allow me a way to hide the ‘invite’ option within my meeting. :pray:

I have already created a feature request. Guys please vote this thread and let the Zoom to understand the priority of this request. Thanks. :dove:

5 Likes

I’m facing exactly the same issue.
Would be very nice to have able/disable switch for that.

2 Likes

From your description of your usecase, it sounds like what you really want is a webinar. Webinars offer more control over the participants of a meeting, including disabling the invite function, as well as a bunch of other useful features for 900 person meetings (it would be just as much of a shame if someone started screen-sharing or yelling during your meeting, right?)

3 Likes

Hi @jude.niroshan11

With the latest version of the WebSDK 1.7.8 you can hide the meeting information inviteUrl link using ZoomMtg.init -> inviteUrlFormat API[1] - https://zoom.github.io/sample-app-web/ZoomMtg.html#init.

In terms of preventing “Zoombombing”…

  1. Waiting Room - When having meetings of over 100+ or even 900 in this case, it’s best to have a co-host to help manage current participants & admit attendees in the waiting room without interrupting the meeting.

  2. Meeting Registration - You can add registration to meetings thus every intended participant will have their own unique join_url link.

Let us know if this helps.

Thanks