Clubhouse, an audio-based social media app created by Paul Davison and released in 2012, first made waves when users started flocking to its doors at the start of the year. The app combines the features of popular social media platforms, Twitter and Facebook, with the communication capability of today’s phones. One of its most interesting features is the “rooms” that it lets users create, which are essentially group audio chats. Users can give public addresses or host panel discussions with “speakers” and audiences with their help.

The app is still in beta mode and currently available only on iOS. It began life using an invite-only model to gain users limited to Silicon Valley elites and celebrities. Recent reports, however, say it now has more than 10 million users and is valued at US$1 billion.

Unfortunately, all is not well for Clubhouse as its time in the spotlight was dampened by cybersecurity and privacy concerns in February 2021.

Is Clubhouse Ripe for Exploitation and Privacy Violation?

Clubhouse’s vulnerability woes were tied to the researchers’ findings detailed below.

Unencrypted User Data

Stanford Internet Observatory alleged that the app’s audio data might not be encrypted after seeing reports that online censors blocked a Clubhouse debate among users in China on 8 February 2021. Further analysis revealed that users’ unique Clubhouse ID numbers and chat room IDs are transmitted in plaintext, likely giving third parties access to raw audio files. The researchers also pointed out that a Shanghai-based company runs part of the app’s infrastructure, insinuating that state actors may spy on its users.

Data Scraping

A couple of weeks after the first concern was raised, Bloomberg reported that another site was scraping data from Clubhouse so even nonusers can listen to audio hosted on the app. While the “thief” may not have had malicious intent, some conversations and other communications may be very private.

Unaffiliated Apps

An Android app developer also reportedly breached Chubhouse’s network when it attempted to make the app available to non-iOS users. Even private chats were not spared and became accessible to those who downloaded the said Android app.

Unnecessary Access to Contact List

Apart from the aforementioned vulnerabilities, Clubhouse was also scrutinized for collecting what users may consider too much information, such as their contact lists. While the app’s users can opt not to allow Clubhouse access to their contact lists, choosing to do so would disallow them from inviting others to join the network. For many, the “add your contacts, or you won’t have friends” option is a seeming violation of their privacy.

Undelete Policy

Concerns regarding the app’s undelete policy were also raised. Clubhouse’s privacy policy states that conversations are only deleted if any user reports it for a trust and safety violation. That may be contrary to what the app’s users may believe—that chats are deleted automatically as soon as everyone leaves a chat room.

GDPR Noncompliance

Clubhouse was also cited for not following the General Data Protection Regulation (GDPR) mandates, as its Terms of Use and Privacy Policy does not mention specific processes for handling European Union (EU) citizens’ data.

Clubhouse has not been idle, though, as it quickly acted on the issues raised with specific measures it plans to take published on its Security at Clubhouse page. The only remaining question is: Will Clubhouse’s actions assuage users’ fears? Or will its further surge in popularity give rise to even more challenges in the future?

What’s Next for Clubhouse?

Clubhouse has become so popular that people with invite codes sell these to the highest bidders, which may present opportunities for scammers. An Android app that had nothing to do with Clubhouse was also seen riding on its fame, using the same name on Google Play. It is possible to see more apps, which may or may not be legitimate, riding on the brand in the future.

Whatever happens next, one thing is clear: Clubhouse needs to address public concerns if its developer wants to continue enjoying growth. It has already taken the first step by improving its infrastructure, at least according to the details published on its security page. With constant improvements, it has the ability to soar like Facebook and Twitter.

Clubhouse Is a Cyber Attack Victim and Should Be Treated as Such.
Loading ... Loading ...