At nearly a year old, the invitation-only, audio-based social-media platform ClubHouse is grappling with security issues on multiple fronts, but the consensus among researchers is coming into focus: Assume your ClubHouse conversations are being recorded.
The company confirmed to Bloomberg that over the weekend a user was able to breach “multiple” ClubHouse room audio feeds and stream them on a third-party website. A company spokeswoman told Bloomberg the user has been banned and that “safeguards” have been put in place.
Another user, located in mainland China, meanwhile wrote code that allows anyone to listen in on ClubHouse conversations without the required invitation code, and posted it on GitHub, Silicon Angle reported. That, along with other malicious code designed to breach Clubhouse, have been blocked, according to the outlet.
Clubhouse’s Agora Platform
The heart of Clubhouse’s security woes is its backend “real-time voice and video engagement platform” provided by Shanghai-based startup Agora. Clubhouse web traffic is directed to Agora’s server in China, including personal metadata, without encryption, according to the Stanford Internet Observatory (SIO), which was the first to raise the alarm about ClubHouse’s privacy and security protections on Feb. 12.
Because Agora is based in China and Silicon Valley, it is subject to cybersecurity laws of the People’s Republic of China, which the company acknowledged could require it to assist the government in investigations by providing audio.
Agora, for its part, denies storing metadata.
“However, the Chinese government could still theoretically tap Agora’s networks and record it themselves,” SIO said. “Or Agora could be misrepresenting its data storage practices.”
Consumers should be aware their data is likely exposed.
“It’s alarming that platforms like this are built on leveraging coarse data transfer practices that users accept when they install these apps,” Burak Agca, an engineer with Lookout said. “Consumers trust their mobile devices and the apps on them to be inherently secure. This may lead them to open up their devices to unknown communications with data-collection and traffic-management systems.”
ClubHouse Concerns Are Similar to TikTok
Agca said the issues surrounding ClubHouse are much like previous security concerns raised around TikTok.
“The [TikTok] parent company, ByteDance, said it didn’t share any user data with the Chinese government,” he explained. “In the case of both TikTok and ClubHouse, we all know that if the Chinese government really wants something, they’ll get it.”
ClubHouse, which is only available for iPhone, has been downloaded by more than 8 million users, which, according to USA Today, is double the number it had on Feb. 1. The company is currently valued at $1 billion and includes famous users like Silicon Valley investor Ben Horowitz, CBS news anchor Gayle King and even Beyonce’s mom, Tina Knowles.
As ClubHouse gains notoriety, Katie Moussouris, CEO of Luta Security told Silicon Angle that it’s important for users and analysts to keep an eye on how its security posture evolves.
“Today’s ClubHouse data routing through China while optimizing for maximum social graph is tomorrow’s congressional inquiry of another runaway tech giant, too big and too late to regulate,” she said.
Is your small- to medium-sized business an easy mark for attackers?
Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.