Clubhouse chats streamed to third‑party website
The incident raises concerns about the privacy and security of conversations taking place on the platform
Clubhouse, the social media platform du jour, has experienced a data incident as an unidentified user found a way to stream audio feeds from the app’s chat rooms to a third-party website.
Speaking to Bloomberg, Clubhouse spokeswoman Reema Bahnasy confirmed that over the weekend a user was able to pull audio feeds from “multiple rooms” and made them available on their own website. The user was then “permanently banned” and the social media platform went on to add new “safeguards” to prevent the situation from occurring again.
The apparent audio spillage comes on the heels of a report earlier this month, which led to concerns over the platform’s data practices. Following the report, which was drafted by the Stanford Internet Observatory (SIO), Clubhouse has sought to assuage the concerns by committing to taking steps to ensure user privacy.
Launched in April 2020, the invitation- and iPhone-only chat application allows users to interact with one another in private or public audio chatrooms. The app created a buzz by allowing regular users to interact with high-profile figures such as celebrities, athletes, captains of industry, and venture capitalists.
While the talks aren’t recorded by the platform and should be experienced live, its guidelines state that users “may not transcribe, record, or otherwise reproduce and/or share information obtained in Clubhouse without prior permission.”
Shortly after the new issue came to light, a number of cybersecurity experts took to Twitter. David Thiel, SIO’s Chief Technical Officer, said that he doesn’t believe the cyber-incident to be a “malicious activity, nor it is a loophole per se”.
He said that the unidentified party behind the incident created a JavaScript application that would allow anyone to listen to audio from Clubhouse without having an invite code and be able to listen to different personal sessions as well. “The app is designed to scrape Clubhouse channels that you can select from. A bot will join the channel on your behalf, and stream audio to you using Agora’s web SDK. It doesn’t appear to be spooling chats to storage — it doesn’t look like the server sees audio at all,” Thiel explained.
While some version of this *could* store audio, the version on GitHub just stores channel metadata. If it’s true that people weren’t able to kick the bot, that would be a Clubhouse bug. But there’s nothing inherently bad here, save for a possible ToS violation.
— David Thiel (@elegant_wallaby) February 21, 2021
Meanwhile, Robert Potter, the CEO of Internet 2.0, weighed in by saying that the security and privacy issues are teething troubles that are usually faced by up-and-coming social media platforms. However, he agreed with Thiel that it could be considered a violation of the app’s Terms of Service rather than a hack or data breach.
“The end result of this whole clubhouse [sic] experience is that folks have put a lot of data online without considering the privacy implications. I’d strongly recommend people to build more encryption fenced communities for these sorts of conversations in the future,” said Potter.
What an ESET expert has to say
Separately, these sentiments were echoed by ESET security specialist Jake Moore: “Clubhouse is still in its early phase and like with many applications, privacy of its users is often an afterthought. Similarly to when Zoom usage went through the roof, Clubhouse is experiencing a huge uptake and learning as it goes. Far too often the security and privacy of a startup’s userbase are not seen as important as the company’s growth. However, without the right protection in place, there is arguably no longevity.”
He went on to urge users to limit the amount of personal data they share with online services and watch for new security features in further releases.