Clubhouse app, an audio-based social networking app exclusively for iPhone users, reported that it suffered a data leak last Sunday. The app was introduced in March 2020 and has raised $100 million in funding in January 2021.
The app allows users to access and join public or private group chats, ensuring that discussions will be experienced life and not be recorded.
According to Reema Bahnasy, a Clubhouse spokesperson said the incident happened due to a user who was able to stream the audio chats from multiple rooms into a third-party website. The company said it had blocked the user and installed new “safeguards” to prevent future leaks.
The Stanford Internet Observatory, which was the first to publicly raise security concerns, said that users of the invitation-only iOS app can presume that communications are being recorded.
Alex Stamos, SIO Director and Facebook’s former Security Chief said, “Clubhouse cannot provide any privacy promises for conversations held anywhere around the world.”
The data leak incident came after Clubhouse made promises that user information will not be compromised by cybercriminals or state-sponsored hackers, in response to SIO’s concern.
Several security vulnerabilities were identified by Stanford's cyber-security experts. These include the fact that users’ unique ID numbers and Clubhouse chatrooms’ ID numbers generated were sent in plaintext, and it could be possible to link IDs to individual user profiles.
The experts also shared concerns that the Chinese government can obtain access to the raw audio files on the servers of Clubhouse. It is because the app uses Agora, a real-time engagement API company based in Shanghai, for its back-end infrastructure.
Agora stated in its filing with the US Securities and Exchange Commission (SEC) that it would be required in China "to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations".
Robert Potter, an Australian cyber-security specialist, claims the issue is that Clubhouse as a platform is new and still inexperienced.
He added that it was important for users to be rational about what providers do with their data. "I think people just need to realise that the privacy and cyber-security of newer social media platforms isn't going to be as good as mature ones," said Potter.
Katie Moussouris, Luta Security CEO and founder, said the incidents serve as another warning for platforms that rapidly escalate in popularity before security flaws are fixed.
