Clubhouse confirms data spillage of its audio streams

Mary-Ann Russon - Business reporter, BBC News
·4 min read

Audio-only social network Clubhouse has confirmed that a user managed to stream content from the app on their website.

The app allows users to participate in public or private audio chatrooms, promising that the content has to be experienced live and is not recorded.

US cyber-security researchers said a user found a way to stream feeds from multiple chatrooms on Sunday.

Clubhouse confirmed the spill, which is when data is released to a place that is not authorised to have access to it.

The firm told Bloomberg it had banned the user and installed new "safeguards" to prevent conversations from being streamed again.

Clubhouse told the BBC that recording or streaming without the explicit permission of the speakers violates the app's terms and conditions.

A spokeswoman said: "Over the weekend, an individual temporarily streamed multiple rooms from their own feed to a website.

"This individual's account has been permanently banned from the service and we have added additional safeguards to prevent people from doing this in the future."

Stanford University's Internet Observatory reported the incident first, but the programme's chief technology officer David Thiel stressed that the data spill was not malicious or a "hack". Instead, he said that it seemed a user had decided to violate Clubhouse's terms.

Australian cyber-security researcher Robert Potter, who built the Washington Post's cyber-security operations centre, agrees.

He explained that a "data spillage" was different to a "data breach", in that data breaches are deliberate and usually carried out by someone hacking into a system to steal data.

A data spillage, on the other hand, is an incident whereby confidential information is released into an environment that is not authorised to have access to the information.

According to him, the incident occurred because a user had realised that it was possible to be in multiple chatrooms at once.

By understanding how this worked, the user could connect a Clubhouse API to his website, and essentially "share" his login remotely with anyone on the internet who wanted to listen to the audio chats from the app.

"If you're popular, people will make a third-party app that scrapes data from the service, for example all the third-party programs that scrape information from Twitter," Mr Potter told the BBC.

Security concerns over Clubhouse

Sunday's incident comes after Clubhouse made assurances that user data couldn't be stolen by cyber-criminals or state-sponsored hackers, in response to a warning from Stanford University's Internet Observatory, which is headed by Facebook's former security chief Alex Stamos.

Stanford's cyber-security researchers discovered several security flaws, including the fact that the users' unique ID numbers and the ID numbers of the Clubhouse chatrooms they created were being transmitted in plaintext and it could be possible connect IDs to specific user profiles.

The researchers were also concerned that the Chinese government could gain access to the raw audio files on Clubhouse's servers, because its back-end infrastructure is provided by a real-time engagement API firm called Agora, which has offices in both Shanghai and San Francisco.

When Agora went public on Wall Street in June, it mentioned in its filing with the US Securities and Exchange Commission (SEC) that in China it would be required "to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations".

Stanford Internet Observatory informed Clubhouse about the security flaws and on 12 February said that it was working with the app firm to improve its security.

'Consider Clubhouse chats to be semi-public'

While it might sound alarming to hear that audio conversations on Clubhouse can be taken out of the app, this isn't exactly new.

Users are already using the video and audio recording functions on their devices to capture conversations had by celebrities like Elon Musk and Kevin Hart, and uploading them to YouTube.

Again, this is against the app's terms of service, but it does mean that no-one should expect their conversations to actually be private, warns Mr Thiel.

"Consider Clubhouse chats to be semi-public, given issues with Agora and the fact we all have microphones," he tweeted.

Mr Potter thinks the problem is more that Clubhouse is young and still immature as a service.

"I feel like there's a bunch of users who got really enthusiastic because it's a new thing and because you need an invitation, the conversations must be private," he said.

"It happened with Zoom and Tiktok - again and again, we see an app that has really high growth, it goes viral, and then they have a privacy problem, or they find lots of problems that weren't so big a deal when they were smaller, and cyber-security comes later."

He added that consumers needed to be realistic about what services do with their data.

"I think people just need to realise that the privacy and cyber-security of newer social media platforms isn't going to be as good as mature ones," said Mr Potter.

"If you're going to be an early adopter and try out new apps and new smartphones, there's going to be bugs."