Security breach on Clubhouse app
Clubhouse, an app that provides audio-only chatrooms for free, has gone viral in the App Store over the last few weeks. It is currently only available for Apple users, although preparations to launch the Android version of the application are underway. With nearly ten million downloads on Apple devices alone, Clubhouse has even caught Mark Zuckerberg's attention, as Facebook has already begun to develop a similar kind of app.
However, some concerning security flaws have just been exposed, potentially compromising the privacy of users' streams and identities. Clubhouse policies forbid anyone from recording conversations that take place on the app, and promise complete privacy—going so far as to claim that user data was inaccessible even to state-sponsored hackers. Yet this past weekend, a user (since permanently banned) was discovered streaming audio feeds from multiple chatrooms to his website. This is not a function of the app and should not have been possible.
The revelation led to deeper investigation into Clubhouse by Stanford cyber-security researchers, who further uncovered that each user's ID number as well as chatroom IDs were being transmitted in plaintext—without any encryption whatsoever. What's more, Clubhouse IDs could be connected to user profiles and identities traced.
This opens a whole Pandora's box of concerns. Because Clubhouse's back-end infrastructure provider (Agora) is located in Shanghai, the incident poses the question of whether the Chinese government could gain access to the raw audio files and confidential information. With Chinese citizens comprising a significant percentage of the app's global users, the data is often routed through Chinese servers. And unless the app's security is quickly enhanced and IDs encrypted, there may be worse cases of data breach coming.
Clubhouse is currently working with Stanford Internet Observatory to take measures and enhance its security. In any case, SIO's chief technology officer warns that due to what we know, users should consider Clubhouse chats "semi-public."
Things that are NOT allowed: