A week after the popular audio chat room app Clubhouse took steps to ensure that user data couldn’t be stolen by malicious hackers or spies, at least one attacker proved that the platform’s live audio could be sucked.
An unidentified user was able to stream clubhouse audio feeds from “multiple rooms” to their own third-party website this weekend, said Reema Bahnasy, a spokeswoman for Clubhouse. While the company says it “permanently banned” a particular user and put in new “safeguards” to prevent it from happening again, researchers claim the platform may not be able to make such promises.
Users of the invite-only iOS app should assume that all conversations will be recorded. This is the Stanford Internet Observatory, which first publicly raised security concerns in February. 13 said late Sunday. “Clubhouse cannot make data protection promises for conversations around the world,” said Alex Stamos, director of the SIO and former security chief of Facebook Inc.
Stamos and his team have also confirmed that Clubhouse relies on a Shanghai-based startup called Agora Inc. to handle much of its back-end operations. While Clubhouse is responsible for the user experience, like adding new friends and finding rooms, the platform relies on the Chinese company to handle the traffic and audio production, he said.
The clubhouse’s reliance on Agora raises widespread privacy concerns, especially for Chinese citizens and dissidents who feel their conversations are beyond the reach of government surveillance, Stamos said.
Agora said it was unable to comment on Clubhouse’s security or privacy protocols and insisted that it “does not store or share any personal information” with any of its customers, Clubhouse being only one. “We strive to make our products as safe as possible,” said the company.
Over the weekend, cybersecurity experts discovered that audio and metadata had been transferred from the clubhouse to another site. “A user has set up a way to remotely share their login with the rest of the world,” said Robert Potter, Internet 2.0 chief executive officer based in Canberra, Australia. “The real problem was that people thought these conversations were ever private.”
While Clubhouse refused to explain what steps were being taken to prevent a similar violation, solutions could be to prevent third-party applications from being used to access chat room audio without actually entering a room, or simply that Limit the number of rooms a user can enter at one time, said Jack Cable, a researcher at SIO.
A week ago, the SIO released a report that metadata from a clubhouse chat room in China was “forwarded to servers that we believe are hosted”. Due to Agora’s obligations under Chinese cybersecurity laws, it would be a legal requirement to assist in the search for audio if the government claims it would endanger national security.
Clubhouse recently raised $ 100 million on a reported valuation of $ 1 billion. Agora is up more than 150% since mid-January. It’s worth nearly $ 10 billion now.
In early February, Clubhouse users in China said they could not access the app after an explosion of discussions from mainland users on taboo subjects from Taiwan to Xinjiang. At the moment, it appears that users can still access the app through virtual private networks. This is one of the few ways people in mainland China can explore the internet beyond the Great Firewall.