An attacker was able to siphon audio feeds from multiple Clubhouse rooms

Pierluigi Paganini February 22, 2021

An attacker demonstrated this week that Clubhouse chats are not secure, he was able to siphon audio feeds from “multiple rooms” into its own website

While the popularity of the audio chatroom app Clubhouse continues to increase experts are questioning the security and privacy level it offers to its users.

Recently the company announced it is working to enhance the security of its platform and to avoid threat actors to access audio chats. Unfortunately, a group of attackers has proved the platform’s live audio can be siphoned.

clubhouse

Over the weekend, an unidentified attacker was able to stream Clubhouse audio feeds from multiple rooms into their own third-party website.

In response to the malicious activity, the company permanently banned the account used by the attacker and deployed new “safeguards” to prevent similar attacks in the future, but ClubHouse was not able to ensure that it will not happen again.

Representatives of the Stanford Internet Observatory declared that users should assume all conversations are being recorded by the company, a circumstance that raises concerns because they have no information on how the conversations are stored.

“Clubhouse cannot provide any privacy promises for conversations held anywhere around the world,” said Alex Stamos, director of Stanford Internet Observatory and former Facebook CSO.

The privacy questions raised is not limited to way data are stored, experts like Stamos pointed out that Clubhouse implements back-end operations with the support of the Chinese start-up Agora Inc..

“Clubhouse’s dependence on Agora raises extensive privacy concerns, especially for Chinese citizens and dissidents under the impression their conversations are beyond the reach of state surveillance, Stamos said.” reported Bloomberg.

Agora responded to the privacy concerns saying that it doesn’t store personally identifiable information of its clients.

Over the weekend, cybersecurity expert Robert Potter noticed a user found a way to remotely share his login with a third-party site.

The measures implemented by the company were not publicly disclosed, it likely introduced some limitation in the use of third-party applications to access chatroom audio without actually entering a room. Another mitigation could consist of limiting the number of rooms a user can enter simultaneously, as suggested by Jack Cable from a Stanford Internet Observatory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Clubhouse)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment