Clubhouse Chats have been Breached and Streamed Online



A Clubhouse user was able to find a way to share Clubhouse chats outside of the iOS app. According to Bloomberg, Clubhouse “permanently banned” that user, and has installed new “safeguards”. It is unclear what those safeguards are, or how effective they will be, given what is known about Clubhouse.

Stanford Internet Observatory reported that Agora, a Shanghai-based startup, with U.S. headquarters in Silicon Valley, created a platform for other software companies to build upon. Clubhouse is one of the apps using Agora’s platform. According to the Stanford Internet Observatory, “If an app operates on Agora’s infrastructure, the end-user might have no idea.” In short, Agora hosts Clubhouse’s traffic.

Stanford Internet Observatory’s analysts observed Clubhouse’s web traffic using publicly available network analysis tools, such as Wireshark. Their analysis revealed that outgoing web traffic is directed to servers operated by Agora. Joining a channel generates a packet directed to Agora’s back-end infrastructure.

The packet contains metadata about each user, including their unique Clubhouse ID number and the room ID they are joining. That metadata is sent over the internet in plaintext (not encrypted), meaning that any third-party with access to a user’s network traffic can access it. In this manner, an eavesdropper might learn whether two users are talking to each other, for instance, by detecting whether those users are joining the same channel.

Stanford Internet Observatory made it clear why Agora’s hosting of Clubhouse matters:

Because Agora is based jointly in the U.S. and China, it is subject to People’s Republic of China (PRC) cybersecurity law. In a filing to the U.S. Security and Exchange Commission, the company acknowledged that it would be required to “provide assistance and support in accordance with [PRC] law,” including protecting national security and criminal investigations. If the Chinese government determined that an audio message jeopardized national security, Agora would be legally required to assist the government in locating and storing it.

Chief Executive Officer of Internet 2.0, Robert Potter, posted an interesting thread about the Clubhouse situation on Twitter. He points out that it was not a “hack”. “A user set up a way to remotely share his login with the rest of the world. The real problem was that folks thought these conversations were ever private.”

In that thread. Robert Potter tweeted: “The end result of this whole clubhouse experience is that folks have put a lot of data online without considering the privacy implications. I’d strongly recommend people to build more encryption fenced communities for these sorts of conversations in the future.”

The more I learn about Clubhouse the more I think it is a bad idea. I am aware that there are people who enjoy checking out the newest apps, especially if there is a social aspect to them. In my opinion, joining this Clubhouse comes at too high a cost to people’s privacy.


Leave a Reply

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.