Clubhouse audio chats are breached, raising concerns over cybersecurity
- An unidentified user was able to stream Clubhouse audio feeds this past weekend from ‘multiple rooms’ in the platform into a third-party website
- Users of the app should assume all conversations are being recorded, according to the Stanford Internet Observatory, which was the first to raise security concerns
A week after popular chat room app Clubhouse said it was taking steps to ensure user data could not be stolen by malicious hackers or spies, at least one attacker has proven the platform’s live audio can be siphoned.
An unidentified user was able to stream Clubhouse audio feeds this weekend from “multiple rooms” into their own third-party website, said Reema Bahnasy, a spokeswoman for Clubhouse.
While the company says it has “permanently banned” that particular user and installed new “safeguards” to prevent a repeat, researchers contend the platform may not be in a position to make such promises.
Users of the invitation-only iOS app should assume all conversations are being recorded, the Stanford Internet Observatory (SIO), which was first to publicly raise security concerns on February 13, said late on Sunday.
“Clubhouse cannot provide any privacy promises for conversations held anywhere around the world,” said Alex Stamos, director of the SIO and Facebook’s former security chief.
Agora, the technology provider behind hit audio app Clubhouse, says it does not store user data
Stamos and his team were also able to confirm that Clubhouse relies on a Shanghai-based start-up called Agora to handle much of its back-end operations. While Clubhouse is responsible for its user experience, like adding new friends and finding rooms, the platform relies on the Chinese company to process its data traffic and audio production, he said.
Clubhouse’s dependence on Agora raises extensive privacy concerns, especially for Chinese citizens and dissidents under the impression their conversations are beyond the reach of state surveillance, Stamos said.
Agora said it could not comment on Clubhouse’s security of privacy protocols and insisted it does no “store or share personally identifiable information” for any of its clients, of which Clubhouse is just one.” We are committed to making our products as secure as we can,” the company said.
Over the weekend, cybersecurity experts noticed that audio and metadata were being pulled from Clubhouse to another site. “A user set up a way to remotely share his login with the rest of the world,” said Robert Potter, chief executive of cybersecurity firm Internet 2.0 based in Canberra, Australia. “The real problem was that folks thought these conversations were ever private.”
The culprit behind the weekend audio theft built their own system around the JavaScript toolkit used to compile the Clubhouse application. They effectively jerry-rigged the platform, said Stamos. The SIO said it did not determine the origin or identities of the attackers.
While Clubhouse declined to explain what steps it took to prevent a similar breach, solutions may include preventing the use of third-party applications to access chat room audio without actually entering a room or limiting the number of rooms a user can enter simultaneously, said Jack Cable, a researcher at the SIO.
The rise and fall of Clubhouse in China: how the popular app came and went in just a few days
A week ago, the SIO released a report saying it observed metadata from a Clubhouse chat room “being relayed to servers we believe to be hosted” in China. Agora’s obligations to China’s cybersecurity laws mean that it would be legally required to assist in locating audio should the government contend it jeopardised national security.
Clubhouse recently raised US$100 million at a reported US$1 billion valuation. Agora has soared more than 150 per cent since mid-January. It is now worth close to US$10 billion.
