A user was banned from the social network when he streamed conversations from various chat rooms on his website.
The Clubhouse social network confirmed that a user was able to stream the app’s content on its own website.
The tool, which has become fashionable in recent weeks, allows users to participate in public or private chat rooms in which it is only possible to send voice messages. There is a promise that the content can only be followed live, at the time it is posted, and is not recorded anywhere.
What is Clubhouse? Learn more about the social network
Clubhouse: invitation to the audio app is offered for more than R $ 600
But American cybersecurity researchers said a user found a way to broadcast the app’s audios on Sunday.
The Clubhouse confirmed the leak, which occurs when the information is released to a location that does not have authorization to access it.
The company told Bloomberg that it banned the user from the platform and installed new security settings to prevent conversations from being “leaked” again.
By way of a note, those responsible for the social network told the BBC that recording or broadcasting without the explicit permission of the chat participants violates the terms and conditions of use of the app.
One of the company’s spokesmen said: “Last weekend, a user temporarily broadcasted several chat rooms to a website. This individual’s account has been permanently banned from the service and additional security steps to prevent others from doing the same. in the future.”
The Stanford University Internet Observatory in the United States reported the incident first hand, but Clubhouse chief technology officer David Thiel said the data leak was not malicious.
Cybersecurity researcher Robert Potter, who built the Cybersecurity Operations Center for the American newspaper Washington Post, agrees.
He explained that a “data leak” is different from a “data breach”. In the second case, the hacking is deliberate and usually carried out by someone who attacks a system to steal valuable information.
Data leakage is an incident in which confidential information is disclosed in an unauthorized environment.
According to Potter, the incident occurred because an individual realized that it was possible to be in several chat rooms at the same time.
By understanding how the mechanics of the application worked, the user was then able to connect the Clubhouse programming codes to his website and, essentially, remotely “shared” the audio chats with anyone on the internet.
“If the app gets popular, people will do third-party programming and services that extract the data – as is already the case, for example, with several programs that get information through Twitter,” Potter told the BBC.
Last Sunday’s incident came after the Clubhouse declared that user data could not be stolen by state-sponsored cybercriminals or hackers in response to an alert issued by Stanford University’s Internet Observatory.
The institute is chaired by former Facebook security leader Alex Stamos.
Stanford researchers discovered several security holes, including the fact that users’ unique identification numbers and chat room codes were being transmitted in plain text, which would allow for various types of manipulation.
Experts were also concerned that the Chinese government could gain access to raw audio files on the Clubhouse’s servers, as its infrastructure is provided by a real-time engagement company called Agora, which has offices in Shanghai (China) and San Francisco (United States).
When Agora became a public company and went on to sell shares on the stock exchange in July 2020, reports from the United States Securities and Exchange Commission (SEC) indicated that it would be necessary to “provide assistance and support in accordance with the law. for public security and national security authorities to protect national security or assist in criminal investigations, “due to the company’s ties to China.
Stanford experts informed the Clubhouse about the flaws and, on February 12, announced that they were working with the company responsible for the application to improve its security.
“Almost” public chats
While it seems alarming to hear that audio conversations at the Clubhouse can be removed from the app, this is not exactly a new fact.
Several users are already using their devices’ audio recording or screen capture functions to record conversations from celebrities, such as Elon Musk and Kevin Hart, and then upload them to YouTube.
Again, this goes against the app’s terms of service, but it means that no one should expect their conversations to be truly private, warns Thiel.
“Consider the Clubhouse chats to be semi-public, due to the problems with Agora and the fact that we all have microphones on cell phones,” he tweeted.
Potter believes that the problem lies in the fact that the Clubhouse is still a young and immature service.
“There are a lot of users who were really excited because it is a new thing and because you need an invitation to participate,” he says.
“The same phenomenon happened with Zoom and TikTok. We see once again an application that achieves a very high growth, goes viral and soon afterwards, privacy problems appear or bugs that were not so important when the platform was smaller were found. . Cybersecurity comes later. “
Potter added that consumers need to be realistic about what services like Clubhouse do with their data.
“People should realize that the privacy and cyber security of the new social media platforms will not be as good as those of other, more mature networks,” he compares.
“If you are one of the first to adopt and try new apps and new smartphones, bugs will always appear,” he adds.