Invitation-only social network Clubhouse has confirmed it has experienced an audio leak that saw conversations streamed to a third-party website.
Launched in April 2020, Clubhouse is an audio-chat app in which users can join “rooms” within the app to listen to or participate in conversations about a range of topics. The iOS app has attracted 600,000 registered users as of December 2020. On 21 January 2021, it was valued at $1bn.
Clubhouse has gained popularity during the Covid-19 pandemic and a number of high-profile individuals, including Elon Musk and Mark Zuckerberg, have participated in Clubhouse calls.
Over the weekend, security researchers at the Stanford Internet Observatory discovered that a user was streaming audio feeds and metadata from multiple chatrooms within Clubhouse to another website, resulting in an audio leak or data spillage.
A data spillage refers to a security incident in which confidential information is released into an untrusted environment, rather than a data breach, which usually involves a hacker stealing information from a system.
Clubhouse confirmed the breach to Bloomberg, telling the publication that the user had been permanently banned, and that it had introduced safeguards to prevent a similar thing happening in the future.
However, the Stanford Internet Observatory said that Clubhouse users should assume that their conversations may be being recorded.
Last week, the Stanford Internet Observatory identified security issues within the app, such as the fact that users’ unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and raised concerns over whether Shanghai-based company Agora, which supplies back-end infrastructure to the Clubhouse app, could potentially provide the Chinese government with access to raw audio.
The app gained popularity among users in China due to the fact that audio conversations are not recorded, giving users an opportunity to publicly discuss topics that may otherwise be restricted by the Chinese government. The app was blocked in China on 8 February.
Jake Moore, cybersecurity specialist at ESET:
“Clubhouse is still in its early phase and like with many applications, privacy of its users is often an afterthought. Similar to when Zoom usage went through the roof, Clubhouse is experiencing a huge uptake and learning as it goes. Far too often the security and privacy of a startup’s userbase are seen as not as important as growth of the company. However, without the right protection in place, there is arguably no longevity.
“Companies need to do more in investing the right amount of resources into protecting users from any type of data breach. Whether it is private data or not, any data related to any user without a privacy promise is something to be wary of. I would advise users to limit the amount of personal data they offer up to the service and watch for updates and added security features in further releases.”
Verdict has approached Clubhouse for comment.