“Are you in Clubhouse yet? Can you invite me?”
Those are some of the most renowned words that come out of the audio-based social app user’s mouths (more like chats)… But none of them expected to say “Clubhouse Data Breach” so soon.
What happened to the iPhone-only service?
Let’s find out.
Clubhouse Chinese Android App
First of all, if you didn’t know: Clubhouse launched in March 2020 and raised $100 million in January of this year, by allowing users to join groups without an invitation code. Some compare this platform to the early days of Twitter, despite being available only for iPhone.
The exclusivity helped the app get aggressive initial traction, but also a terrifying sank.
This is because a programmer in China (apparently Hong Kong) designed and made available an “Android open-source code” on Github, which has now been blocked.
Reema Bahnsay (Clubhouse spokeswoman) told Bloomberg that they added “safeguards” to prevent unwanted third-parties from accessing the app. This was after an “unidentified user” streamed audio feeds from several “rooms.”
John Furrier, founder of SiliconANGLE Media Inc. announced that the Clubhouse application was reverse-engineered and affected by the spray of the bot’s “malicious code.”
Breaking news: Clubhouse audio getting hacked all audio being sucked out. Coming out of China. Story Developing cc @siliconangle
— John Furrier (@furrier) February 21, 2021
For those who also didn’t know: Shanghai-based Agora Inc. manages Clubhouse’s app data traffic and audio production. But Agora claims they don’t “store or share personally identifiable information” for any of its clients.
And Furrier added that even if the access wasn’t malicious, it was truly was intentional.
“Some are suggesting in the cybersecurity community that this is happening at many other levels of government. All users should assume all conversations are being recorded.”
More Comments about Clubhouse Data Breach
Unfortunately for Clubhouse users and stakeholders, this isn’t the only security issue surrounding the app. According to Lourdes Turrecha, Clubhouse rolled out without much privacy measures, claiming that they collect both contact and personal information.
This might freak out those users in which countries’ governments are surveilled by China.
The founder and CEO of Luta Security, Katie Moussouris, told Furrier this incident will be 2021’s wake-up call for services that explode in popularity without refining their cybersecurity. She also warned tech companies that don’t take enough care.
This notice goes just in time, due to all the apparent Clubhouse copycats.
Something similar happened back in 2020 with TikTok and the parent company, ByteDance.
Back then, they said they weren’t sharing user data with the Chinese government, but as we all know, if they want something, they’ll get it somehow.
The following graphic shows how the Clubhouse app posses hardcoded communications with its Chinese servers.
For that reason, the Head of Threat Intelligence at Coalition, Jeremy Turner, says:
“The Clubhouse breach puts a spotlight on a common problem for technology startups: the benefits of technology are often the prime focus or motivating factor for both developers and users, which can be shortsighted.
When a technology’s value is so significant and adoption so swift, the risks come as an afterthought. Startups should be cautious of moving faster than they can keep up with security and privacy considerations.
When developers push new technology into the hands of early adopters, the risks are easy to ignore or think of as a problem for tomorrow, when in reality they should develop data security measures as thoroughly as you develop new user experiences.
Early-stage development risks always seem to be over the horizon, until they’re not.”
And Caroline Wong, a cybersecurity expert at Pentest-as-a-Service leader Cobalt, adds:
“At the end of the day, these types of security flaws often stem from software development life cycles that fail to incorporate rigorous technical security testing.
To avoid future scenarios like we’re seeing with Clubhouse, organizations must incorporate the human element into their security testing from the beginning – via threat modeling, manual pentesting, abuse and misuse cases.
Organizations should avoid relying purely on automated vulnerability scanners, which cannot detect business logic flaws. Investing in the right security controls at the right time can save organizations and their customers a world of challenges down the road.”