Clubhouse — the invitation-only audio app best known for courting everyone from Elon Musk to Mark Zuckerberg — has promised to implement new safeguards after suffering its second high-profile security snafu this month.
On Sunday, a Clubhouse spokesperson confirmed to Bloomberg that an unnamed user on the app had successfully managed to siphon audio streams from “multiple rooms” and stream them onto a third-party site which that user owned. This news came to light after security researcher Robert Porter tweeted out screenshots from the site in question. He pointed out that while the room-scraper in this case didn’t seem to have any malice in mind here, the exploit was certainly available to “more nefarious actors.”
At the technical level the user who shared his account through the opensource platform didn't really 'hack' anything aside from himself. Its likely a violation of the terms of service but not what we would call a hack. 8 pic.twitter.com/uEWtvqG4C6
— Robert Potter ???? (@rpotter_9) February 21, 2021
Clubhouse’s team told Bloomberg that the user behind the audio scraping was “permanently banned” from the platform, and that it was installing certain “safeguards” to keep these sorts of room recordings from falling into the wrong hands again. That said, the company declined to tell Bloomberg what these specific safeguards actually were.
This doesn’t necessarily bode well for the folks that might be concerned over the privacy of their Clubhouse chats. Sure, the account behind the project might be banned and it’s possible this particular exploit employed to siphon audio may not longer work. The company still has to contend with the 300 other open-source projects currently trying to tap into the platform. And that number is growing every day.
Not to mention that this story is happening only a week after the Stanford Internet Observatory dropped a bombshell report implying that some user data — including raw audio feeds — were processed with the help of the Shanghai-based startup Agora, which had the ability to intercept that audio and store it for its own purposes. As the Trump administration’s tirade against TikTok taught all of us, data stored on Mainland China’s soil is subject to certain national cybersecurity laws dictating Chinese authorities can freely access that data if it’s determined to be a national security threat.
Considering how Clubhouse became something of a breakout hit in China because citizens were under the impression that the app was beyond the reach of state surveillance, you can imagine why last week’s revelation might have had a chilling effect. And while Clubhouse, at the time, promised that it was “deeply committed to data protection and user privacy,” this latest security issue raises questions about how far that commitment actually goes.
We’ve reached out to Clubhouse about the this weekend’s security incident, and will update here when we hear back.