Clubhouse: A security flaw in the audio application that allowed user data to be leaked


The “Clubhouse” app, the iPhone’s audio and social media platform, confirmed that it had leaked user data on Sunday.The application allows users to join and participate in voice chat rooms, public or private, with a pledge not to record conversations.

However, American researchers in the field of cybersecurity tweeted that one of the users had found a way to allow broadcasting a voice chat from the application to another site.

The Clubhouse app confirmed the leak to the Bloomberg news and financial information services website, saying it had blocked the user behind the leak.

The company that owns the app said it had launched new “security measures” to prevent conversations from being broadcast again.

The BBC contacted Club House to make a comment.

Stanford University’s Internet Observatory was the first to report the incident, but David Thiel, the program’s chief technology officer, confirmed that the data leak was not harmful or a “hack,” adding that it was nothing more than a user’s violation of the terms of use of the Clubhouse app.

This view was shared by Robert Potter, an Australian researcher in the field of cybersecurity, who designed the Cyber ​​Security Operations Center for the Washington Post.

He explained that “data leakage” is different from “data breach,” as the latter involves someone intentionally breaking into a system to steal data.

On the other hand, data leakage is an incident that involves the disclosure of confidential information in an environment that is not authorized to know that information.

Potter said the incident happened because the user realized it was possible to participate in multiple chat rooms simultaneously.

By knowing how to do this, the user can link the application to his website, and “share” his login information remotely with anyone else on the Internet who wants to listen to voice chats from the app.

Security concerns about the Clubhouse

The data leak incident on Sunday comes after the Clubhouse app provided guarantees assuring that user data could not be stolen by cybercriminals or country-sponsored hackers, in response to a warning from Stanford University’s Internet Observatory, headed by Alex Stamos, a former security director at the company. Facebook.Cybersecurity researchers at Stanford University discovered many security vulnerabilities, including that user identification numbers and the identification numbers of the Clubhouse chat rooms they created were transmitted in plain text, which could allow identities to be linked to specific user profiles.

The researchers also expressed concern about the Chinese government’s access to the raw audio files on Clubhouse servers, because the basis for the application’s infrastructure is provided by a company known as “Agora”, which has offices in Shanghai and San Francisco.

When Agora went public on Wall Street in June, it stated in its file with the US Securities and Exchange Commission that in China “assistance and support will be required in accordance with public security law and national security authorities to protect national security or assist in criminal investigations.”

Stanford University’s Internet Observatory informed Clubhouse of security flaws, and said on February 12 that it was collaborating with the app company to improve its security.

“I consider Club House chats to be semi-public.”

Although it may seem annoying to hear about a leak of audio chats from the Clubhouse app, that is not entirely a good thing.

Users are already using the video and audio recording functions on their devices to capture and post conversations made by famous people like Elon Musk and Kevin Hart on YouTube.

Thiel warns that this is against the app’s terms of service, but it does mean that no one should expect their conversations to be truly private.

“I consider Clubhouse chats to be semi-public, given the issues with (company) Agora, and the fact that we all have microphones,” he wrote on Twitter.

The problem, Potter believes, is that the Clubhouse app is still young and immature as a service.

“I think there is a group of users who are really enthusiastic because it’s something new, and because you need an invitation from a user, the conversations have to be private,” he said.

He added: “It happened with the applications Zoom and TikTok repeatedly, we are seeing an application that is already achieving great growth and spreading quickly, then the privacy problem appears, or a lot of problems that were not so great when the application was used less, and then cybersecurity emerges later.”

He said users need to be realistic about what services do with their data.

“I think people just need to realize that the privacy and cybersecurity of newer social media platforms will not be as good as mature platforms,” ​​Potter said.

“If you intend to adopt an application at an early stage, and try new applications and new smartphones, then there will be loopholes,” he added.


Please enter your comment!
Please enter your name here