A week after the popular Clubhouse audio chat app said it was taking steps to ensure that user data was not stolen by hackers or malicious spies, at least one attacker proved that the platform’s live audio can be bypassed .
An unidentified user was able to stream Clubhouse audio feeds this weekend from “multiple rooms” on his own third-party website, said Clubhouse spokesman Reema Bahnasy. Although the company says that specific user is “permanently banned” and has installed new “safeguards” to avoid a repeat, the researchers say the platform may not be in a position to make such promises.
Users of the invite-only iOS app should assume that all conversations are being recorded, said the Stanford Internet Observatory, which was the first to publicly raise security issues on February 13. “The Clubhouse cannot offer any privacy promises for conversations conducted anywhere in the world,” said Alex Stamos, director of Stanford Internet Observatory and former head of security at Facebook Inc.
Stamos and his team were also able to confirm that the Clubhouse depends on a Shanghai start-up called Agora Inc. to handle much of its back-end operations. Although the Clubhouse is responsible for the user experience – how to add new friends and find rooms – the platform depends on the Chinese company to process its data traffic and audio production, he said.
The Clubhouse’s reliance on Agora raises many privacy concerns, especially for Chinese citizens and dissidents, under the impression that their conversations are beyond the reach of state surveillance, said Stamos.
Now he said he could not comment on the Clubhouse’s security or privacy protocols and insisted that he does not “store or share personally identifiable information” for any of his customers, of whom the Clubhouse is just one. “We are committed to making our products as safe as possible,” said the company.
Over the weekend, cybersecurity experts noticed that audio and metadata were being transferred from the Clubhouse to another website. “A user has configured a way to remotely share their login with the rest of the world”, said Robert Potter, chief executive of Internet 2.0 in Canberra, Australia. “The real problem is that people thought these conversations were private.”
The culprit behind the weekend’s audio theft built his own system around the JavaScript toolkit used to compile the Clubhouse app. They effectively improvised the platform, said Stamos. The Stanford Internet Observatory said it has not determined the origin or identities of the attackers.
Although the Clubhouse declined to explain what steps were taken to prevent a similar breach, solutions may include preventing the use of third-party applications to access chat room audio without actually entering a room or simply limiting the number of rooms that can be accessed. a user can log in simultaneously, said Jack Cable, a researcher at the Stanford Internet Observatory.
A week ago, the Stanford Internet Observatory released a report saying it observed metadata from a Clubhouse chat room “being relayed to servers that we believe are hosted” in China. Agora’s obligations to China’s cybersecurity laws mean that it would be legally obliged to assist in localizing audio if the government claimed it jeopardized national security.
The Clubhouse recently raised $ 100 million in an estimated $ 1 billion. It has now risen more than 150% since mid-January. It is now worth close to $ 10 billion.
In early February, Clubhouse users in China said they were unable to access the app after an explosion of discussions from mainland users on taboo topics from Taiwan to Xinjiang. For now, it appears that users can still access the application using virtual private networks, one of the few ways in which people in mainland China can explore the Internet beyond the Great Firewall.