A novel method for preventing “Zoom Bombing”


Zoom Bombing is exposing children learning remotely to inappropriate content and disrupting meetings so a few pranksters can have a laugh. The biggest unsolved issue with Zoom Bombing is that people are sharing links and passwords on social media in order to egg trolls and classmates on to bomb these classes and meetings. How can we share a meeting without disclosing the meeting ID and password?



BombSquad is a solution I built on Amazon Web Services to help mitigate the worst of Zoom Bombing. Here’s how it works:

  1. Get a Zoom meeting invitation link like normal (and make sure the password feature is turned on!)
  2. Go to www.BombSquad.us
  3. Select your meeting options- you can permanently turn off the participant microphone and camera so that nobody can reenable it by clicking the checkboxes.
  4. Paste your invitation link
  5. Get a sharable cloaked URL that goes right to your meeting!
  6. Continue orchestrating your meeting from the Zoom client like normal.

The technical details are as follows: BombSquad takes your URL, transforms it to force the user to use the Zoom web client, stores the original URL securely, and only redirects the browser to the real meeting URL if the user clicks through the sharable link you receive. The invitation link inside the window is disabled. Thus, all a user can see are BombSquad URLs! This is performed using a combination of AWS S3 and Lambda instances as shown above, making this a neat example of a serverless application– the first I am distributing publicly!


Head on over to www.bombsquad.us and give it a try!

BombSquad interface

3 thoughts on “A novel method for preventing “Zoom Bombing”

  1. To start, love the thought behind this, I’m just a little unsure as the technical details are a bit too high-level to describe how this actually adds extra security

    It seems like all this effectively does is hash the meeting id and password into a key for fetching a url to a session scoped to a subset of zoom’s functionality — couldn’t one share the bombsquad url and still allow random users to join the meeting (i.e. a replay attack)?

    I could absolutely see using account identities to prevent random users from joining meetings, does the zoom web client enforce some kind of pre-approved list of audience members?

    All in all, great summary and it’s super cool to see someone thinking about this šŸ™‚

    Liked by 1 person

    1. You have very good points. It is very hard to graft security onto a product as a third party.

      Someone could share the bombsquad URL, but I have done by best to set up the redirector service to make sure that someone is using my links versus using them on their own. Not perfect security, but another deterrent to non-technical users who will move on to less technical targets.

      The original concept for this project was to do exactly as you propose, and use account identities. Unfortunately Zoom no longer allows us to use the username query option on their embedded URLs unless we build an app that is approved by Zoom’s development team, so I did my best to build something that circumvented this restriction.

      Sorry for the weird disjointed comment- I posted the original bit while I got used to replying to WordPress comments! Let me know if there is anything you could find that would be better for improving this; I’m coming up to speed on information security but I have a lot to learn.



      1. Ah ok, that’s too bad Zoom isn’t more on top of this, makes perfect sense! Absolutely agree with the idea of security through obscurity, I know I wouldn’t bother trying to circumvent any system if I saw the bombsquad url when I was in school

        Have you thought about using client certs to gate who actually gains access to the redirect? e.g. If someone wants to lock down their Zoom session, bombsquad could check whether the https request has a client cert — if not then redirect to an approval request by the Zoom session maintainer where, when approved, a new client cert is returned (I’m pretty sure most CAs have a rest api bombsquad could leverage for this) — if so then check if the cert is in an approved set to determine the redirect target

        All in all, like I said before, great work and keep it going šŸ™‚

        Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s