Clubhouse voice notes were leaked; thousands of users affected

Clubhouse, a social media app on iPhone to interact exclusively through voice notes, confirmed that last weekend it suffered a data leak incident. This platform allows users to join audio chat rooms (public or private); conversations are not stored, so many users are enthusiastic about this service.

David Thiel, chief technology officer at Stanford University’s Internet Observatory, reported the incident, not to mention that this incident was not the product of a cyberattack. On the cause of this incident, the expert believes it could all be because a user decided to violate Clubhouse’s terms of service.

“This is a condition known as an ‘information spillage’, and it is different from data breaches that these incidents are deliberately provoked through a cyberattack or social engineering technique; information spillage occurs when sensitive data is released in an unauthorized environment to access this information,” the expert says.

Thiel believes the incident originated because a user discovered that it was possible to be connected in multiple chat rooms simultaneously, generating the opportunity to connect a Clubhouse API to an external website and share their login remotely with any online user: “Actually creating third-party platforms to extract data from a service is very common. For example, all the tools created to extract information from Twitter.”

Just a couple of weeks ago The developers of Clubhouse stated that the information transmitted through this platform could not be compromised by threat actors sponsored by national states, a statement issued in response to a report from the Internet Observatory. This report details multiple security flaws detected in Clubhouse whose exploitation would allow the leaking of sensitive details in plain text.

Experts who produced this report also considered that advanced hacking groups such as those sponsored by the Chinese government could access audio files on Clubhouse servers as their backend infrastructure is developed by Agora, a company operating in both the United States and China.

This is a serious report but it is not the first time that a similar condition is reported, as in the past some mechanisms have been detailed to intercept information shared through similar platforms. Finally, Thiel attributes the issues to clubhouse being a relatively young service and prone to leaving exploitable gaps by users with various motivations: “This platform must make sure to deliver on what it promises, as it has been shown that conversations are not completely private.”