Private social app Clubhouse allows users to engage in informal conversations. The invite-only iOS application is used by Elon Musk with Facebook also looking to clone the chat service. However, concerns were raised around Clubhouse a couple of weeks ago with the Stanford Internet Observatory (SIO) citing numerous potential security weaknesses in the service. Today, Clubhouse has confirmed a security breach and placed new safeguards to prevent similar incidents in the future.
In a statement to Bloomberg, a Clubhouse spokesperson mentioned that a user was able to siphon live audio from multiple private rooms and stream them on their website. This incident, which took place over the weekend, was possible due to the attacker through a system utilizing the same JavaScript toolkit that is used to compile the Clubhouse application. While the identity of the involved party has not been disclosed, the spokesperson clarified that the user has been banned permanently from the app.
This situation feeds into the security concerns raised by the SIO a few days ago. One of these was Clubhouse user and chatroom IDs were being transmitted over the internet in plaintext instead of being encrypted.
Furthermore, SIO also revealed that the backend of the platform is handled by a Shanghai-based startup called Agora Inc. The Chinese company states that it "temporarily" stores raw audio data for processing in its servers but it is currently unknown how long this time period is and where the servers are situated. In a statement to The Verge, the firm confirmed that it does not route traffic produced by non-Chinese users through China. However, Agora declined to go into details about the security mechanisms and protocols in place to prevent security breaches, such as the one that took place over the weekend.
Source: Bloomberg | Image via Walk the Chat