A substantial security flaw has been exposed on the voice-only chat app Clubhouse.
The issue has been dubbed a data ‘spillage’, as it involves confidential information being released into an environment where it shouldn’t be. This is different to the more typical data breach, which sees a third party maliciously hacking into a system to steal or exploit data.
Clubhouse has been touted as a cross between conference calls and talk radio, where users chat to friends or listen in to conversations between others, using audio only. The company behind Clubhouse claims it allows users to ‘come together to talk, listen and learn from each other in real-time’. However, it also claimed that chats can only be experienced live, and they disappear when they end in real time – though it seems they don’t quite disappear forever.
One user discovered that he could be in multiple rooms at once, and paired this with the ability to connect a Clubhouse API to his own website – allowing any user to log in with his details and listen in. Effectively, it meant any conversation taking place within the app could be scraped from his website, recorded (even by non-users), and saved for publication elsewhere.
Though embarrassing for the fledgeling app, this isn’t actually the first data security issue it has faced. Previously, researchers from Sandford University in the USA discovered that unique ID numbers for both users and the chat rooms they were in were being transmitted in plaintext – allowing hackers to connect unique IDs to real-world individuals.
Sandford University researchers also raised concerns that, with the company using servers in both Shanghai and San Francisco, it was possible that the Chinese government could gain unfettered access to raw audio files.
The university is now working alongside Clubhouse to help make its system more secure.
In the meantime, users of the app are being advised to treat any conversations they have on it to be in the public domain, and to exercise caution more broadly when being an early adopter for any apps. Cyber security researcher Robert Potter told the BBC: “I think people just need to realise that the privacy and cyber-security of newer social media platforms isn’t going to be as good as mature ones.
“If you’re going to be an early adopter and try out new apps and new smartphones, there’s going to be bugs.”