Clubhouse‘s appeal lies in its off-the-record nature where users can voice chat with each other candidly, in ephemeral ‘rooms.’ But what if bad actors could snoop upon your live conversations?
A report from Bloomberg noted that over the weekend, an unidentified user was able to crack the service and listen to conversations. The user, believed to be based in China, made their own website to capture audio streams from the app. The company has now banned the user and said that it has implemented new “safeguards” to stop future unauthorized access.
Some Chinese developer made an Android / PC compatible player for Clubhouse, put it on GitHub, and this guy is like “Clubhouse has been hacked & it’s coming out of China.” Then he goes on Clubhouse chatrooms to “verify this hack.” https://t.co/7lbZDJa772
— Rui Ma 马睿 (@ruima) February 21, 2021
This incident comes only a week after Clubhouse’s announcement of tightening security measures, including preventing the app from “transmitting pings” to China-based servers and additional encryption to protect conversations.
A report prepared by the Stanford Internet Observatory (SIO) noted that China-based company Agora provides the backend for Clubhouse, and it transmitted user ID numbers and chatroom IDs in plaintext. Neither Agora nor Clubhouse have commented on this partnership publically.
Former Facebook security executive Alex Stamos, who also contributed to SIO’s report, said that “Clubhouse cannot provide any privacy promises for conversations held anywhere around the world.”
He also observed Clubhouse used previously undocumented servers run by EnjoyVC. We don’t know what service this company provides to the app, and what implication it might have on users.
Another interesting finding was the undocumented use of servers run by "GUANGZHOU ENJOY_VC COMMUNICATION TECHNOLOGY CO., LTD." aka EnjoyVC.
— Alex Stamos (@alexstamos) February 16, 2021
In response to SIO’s report, Clubhouse said that it doesn’t have servers in China as the app hasn’t been officially launched in the country. It added that some users in China found a workaround to install the app and “conversations they were a part of could be transmitted via Chinese servers.“
Security measures taken by the audio apps seem sufficient for now, but it might want to have a wider audit to avoid a Zoom-level fiasco.
Safety and privacy are a huge part of Clubhouse’s appeal. Twitter and Facebook are already exploring ways to build live audio chat products, and more security incidents might make users think of switching to other platforms.