Clubhouse’s security issues are raising concerns after an unidentified user was able to leak the audio chat and listen to conversations.
The clubhouse app is gaining popularity due to its unique nature where users can audio chat with each other candidly, in ephemeral rooms.
Clubhouse audio chat leaks
Bloomberg posted that over the weekend, an unknown user was able to invade several Clubhouse chatrooms and listened to audio chats. The user probably based in China made their own website to leak audio chats from the app. The company has now banned the user and said that it has implemented more security measures to halt future unauthorized access.
But, Rui Ma indicated in tweets that there’s still evidence from the recent crack surfacing on GitHub.
Some Chinese developer made an Android / PC compatible player for Clubhouse, put it on GitHub, and this guy is like “Clubhouse has been hacked & it’s coming out of China.” Then he goes on Clubhouse chatrooms to “verify this hack.” – Rui Ma -Twitter
But this is not a hack at all, here’s why:
Its' even not a hacking of any form at all
Just the author using his own personal session to access all public rooms
The only one to blamed is clubhouse's own security team. Or simply they don't have that at all?
READ THE FUCKING DOCS
SOURCE: https://t.co/e62r4sOMdD https://t.co/HweyexSJ2h pic.twitter.com/EVCjN0JNTX
— Passluo | 嘿嘿 ?? 嘻嘻 (@passluo) February 22, 2021
This incident took place only a week after Clubhouse announced strict security measures. This included preventing the app from “transmitting pings” to China-based servers and additional encryption to protect conversations. Developers Alpha Exploration also promised a third-party security firm will audit the updates.
Agora provides the backend for Clubhouse
The Stanford Internet Observatory (SIO) noted in a report that China-based company Agora offers the backend for Clubhouse. And it transferred user ID numbers and chatroom IDs in plaintext. Both Agora and Clubhouse have not given a word on this partnership publicly.
Former Facebook security executive, Alex Stamos said that “Clubhouse cannot provide any privacy promises for conversations held anywhere around the world.” He also noticed that Clubhouse used previously unauthenticated servers run by EnjoyVC. They are not sure what service this company provides to the app, and what consequences it might have on users.
Clubhouse provided us with the following statement promising changes. We found that the use of Shanghai-based Agora is fundamental to the function of the app and building logical and technical controls between the US and PRC infrastructure will be extremely complicated. – Stamos – Twitter
Clubhouse responded to SIO’s report and said that it doesn’t have servers in China as the app’s official launch has not taken place in the country. It continued that some users in China discovered a fix to install the app and “conversations they were a part of could be transmitted via Chinese servers.“
Clubhouse witnesses a rollercoaster month with recurring incidents including the audio chat leaks.