Cyber Security: Clubhouse confirms data spillage of its audio streams

Audio-only social network iPhone app Clubhouse has confirmed that it experienced a data spill on Sunday.

The app allows users to join and participate in pop-up public or private audio chatrooms, promising that conversations are not recorded and have to be experienced live.

But US cyber-security researchers tweeted that a user had found a way to stream audio to another website.

What Is Clubhouse, the New Social Media Chat App?

Clubhouse confirmed the spill to Bloomberg, saying it banned the user.

The app firm said it had installed new “safeguards” to prevent conversations from being streamed again.

Stanford University’s Internet Observatory reported the incident first, but the programme’s chief technology officer David Thiel stressed that the data spill was not malicious or a “hack”. Instead, he said it was more that a user had decided to violate Clubhouse’s terms of service.

Australian cyber-security researcher Robert Potter, who built the Washington Post’s cyber-security operations centre, agrees.

He explained that a “data spillage” was different to a “data breach”, in that data breaches are deliberate and usually carried out by someone hacking into a system to steal data.

A data spillage, on the other hand, is an incident whereby confidential information is released into an environment that is not authorised to have access to the information.

Sunday’s incident comes after Clubhouse made assurances that user data couldn’t be stolen by cyber-criminals or state-sponsored hackers, in response to a warning from Stanford University’s Internet Observatory, which is headed by Facebook’s former security chief Alex Stamos.

Stanford’s cyber-security researchers discovered several security flaws, including the fact that the users’ unique ID numbers and the ID numbers of the Clubhouse chatrooms they created were being transmitted in plaintext and it could be possible connect IDs to specific user profiles.

The researchers were also concerned that the Chinese government could gain access to the raw audio files on Clubhouse’s servers, because its back-end infrastructure is provided by a real-time engagement API firm called Agora, which has offices in both Shanghai and San Francisco.

When Agora went public on Wall Street in June, it mentioned in its filing with the US Securities and Exchange Commission (SEC) that in China it would be required “to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations”.

Stanford Internet Observatory informed Clubhouse about the security flaws and on 12 February said that it was working with the app firm to improve its security.