The exclusive, invitation-only iPhone app Clubhouse is the latest big thing on the internet, but it’s not without its issues. Security researchers have already identified a serious flaw in the app’s security, one that’s since been exploited by an unknown hacker.
One user has been able to stream audio from Clubhouse rooms to their own website. The user has since been banned and the company has promised it will be boosting its security measures to make sure it doesn’t happen again.
- Clubhouse app: What is it and how do you get an invitation?
- Everything we know about the iPhone 13
- Plus: WhatsApp’s new privacy policy is coming — what happens if you don’t accept
The hacker was discovered when cybersecurity experts spotted that audio and metadata were being transferred from Clubhouse to another site. They then discovered that the assailant had built a system around the JavaScript toolkit that is used to compile the Clubhouse app to accomplish this.
According to Robert Potter, CEO of Internet 2.0, (via Bloomberg) “a user set up a way to remotely share his login with the rest of the world”.
Clubhouse is currently an invitation-only app for iPhone, meaning you can’t just sign up for it in the same way you would Twitter or Facebook. Presumably the hacker exploited the existing security hole as a way to let non-users listen in to conversations they don’t normally have access to, although we can’t say for sure what their actual motives were.
The security hole in question was recently uncovered by the Stanford Internet Observatory (SIO). The SIO found that personally identifiable information, including Clubhouse user and chatroom IDs, was being transmitted in plaintext, while it was also possible to get hold of raw audio files.
Initially this led to concerns over the involvement of Chinese start-up Agora, which Clubhouse relied on for its back-end systems. Should Agora be in possession of any Clubhouse data, it would legally have to hand it over to the Chinese government if asked. This information didn’t go down well and forced Clubhouse to promise more robust systems were being put into place, and that all of its data would remain on American servers.
Obviously whatever measures Clubhouse had planned either weren’t enough, or haven’t been implemented yet. According to SIO researcher Jack Cable, Clubhouse has declined to say what additional steps it’s taken to avoid breaches like this in future.
Clubhouse only launched last year, but has recently come into the public consciousness after Elon Musk used it to interview Robinhood CEO Vlad Tenev. Its popularity has grown rapidly in the time since, though the invite system is severely restricting how many people can join. Until things change, you’re going to have to be patient. Considering the security holes that have been uncovered, it’s probably a good thing that you can get involved just yet.
