UPDATED 16:30 EDT / FEBRUARY 21 2021

SECURITY

Clubhouse suffers breach as outside developer pulls audio to website

The hot audio-based social app Clubhouse has apparently suffered a data breach, as a third-party developer designed an open-source app that allowed Android smartphone users to access the invite-only, iPhone-only service.

Launched in March 2020, Clubhouse is an audio-based social app that allows users to join group chats spontaneously. It raised $100 million in funding in January. Despite being available only to Apple Inc.’s users, it has managed to gain a lot of buzz, not dissimilar to the early days of Twitter Inc.

In the case of the main Clubhouse breach, a programmer in mainland China designed and made available open-source code on GitHub, owned by Microsoft Corp. since 2018. The developer said the app was designed to allow anyone to listen to audio on Clubhouse without an invite code, with access to various personal sessions.

This app along with other forms of third-party access, some apparently originating from Hong Kong, have now been blocked. Notably, the developer of the Clubhouse Android app on GitHub writes in simplified Chinese, while Hong Kong uses traditional Chinese script.

An “unidentified user” was also able to stream audio feeds over the weekend from “multiple rooms” into the person’s own third-party website, but was then “permanently banned.” This is a different compromise to the Android GitHub application. Reema Bahnasy, a spokeswoman for Clubhouse, told Bloomberg that the company has added “safeguards” to prevent a repeat of audio from their service from being accessed by third-parties.

John Furrier, founder and chief executive officer of SiliconANGLE Media Inc. who has been digging into Clubhouse and noticed the leak of chats, noted that in one of the alleged hacks — the one out of Hong Kong — involves bricking an iPhone, reverse-engineering the Clubhouse application and then using a bot’s “malicious code” to access the various streams and shares them. “Then the program calls the Agora backend as it traverses the room IDs,” Furrier explained. “If Clubhouse bans the bot, another iPhone takes its place.”

One big problem Clubhouse has is that it’s built upon a service from Shanghai-based Agora Inc. to do things such as managing its data traffic and audio production. Alex Stamos, a former Facebook Inc. executive who now heads the Stanford Internet Observatory, raised some security issues back on Feb. 12. He reiterated those concerns Saturday night in a Clubhouse chat with Furrier.

For its part, Agora provided no specific comment to Bloomberg, saying it doesn’t “store or share personally identifiable information” for any of its clients, adding, “We are committed to making our products as secure as we can.”

Furrier added that although the access was intentional, it was not necessarily malicious. “Some are suggesting in the cybersecurity community that this is happening at many other levels of government,” he said, adding that one expert advised that “all users should assume all conversations are being recorded.”

There are other security concerns surrounding Clubhouse. Lourdes Turrecha, founder and CEO of privacy consulting firm PIX LLC, wrote on Medium that Clubhouse rolled out its app without much regard for privacy. Turrecha claims that Clubhouse collects not just its users’ personal information but also their contact information. Further, Turrecha says, Clubhouse also accesses users’ Twitter account information without explaining why.

There could be implications for businesses that use Clubhouse as well. Advisedly or not, one hedge fund manager in one Clubhouse room was having meetings on the service, and is now “freaking out,” Furrier noted.

The concerns even extend to safety of users, especially in countries where governments such as China keep a tight watch on people’s activities online. Many people using Clubhouse may assume their chats are private.

The incidents provide yet another wakeup call for services that suddenly explode in popularity before security kinks get worked out, Katie Moussouris, founder and CEO of Luta Security, which provides advice on sustainable vulnerability disclosure and management, told Furrier.

“Where I think we have a lot to learn from this is that well-funded, popular platforms with millions of users still don’t invest as heavily in security, privacy and safety as they should,” she said. “We’re not talking about a scrappy open-source project that got unexpectedly popular and didn’t have the bandwidth to work on better security and privacy architecture, or at least better warnings about the limitation of the expectation of the privacy of conversations, and the longevity of possible recordings outside of their control.”

Moussouris also issued a warning for tech companies that don’t take enough care: “Today’s Clubhouse data routing through China while optimizing for maximum social graph is tomorrow’s congressional inquiry of another runaway tech giant, too big and too late to regulate,” she said.

Despite the issues, Clubhouse is already spurring apparent copycats. Facebook reportedly is working on a similar service.

Images: Opench

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU