Audio streaming app, Clubhouse, has confirmed a data spillage on the platform, which has raised security concerns amongst users.
Speaking to Bloomberg, Clubhouse confirmed the spill and said it had banned the user.
Reema Bahnasy, Clubhouse spokesman, said an unidentified user could stream audio feed from multiple rooms on Clubhouse to its third-party site.
Users could join and participate in ongoing discussions on public or private audio chatrooms with full closure on the platform.
Data spillage detected by US cybersecurity researcher
Standford University Internet Observatory researcher, headed by Facebook’s former security chief Alex Stamos – who made the first report said it had severally warned the platform of cybercriminals and state-sponsored hackers.
In response to the warning, Clubhouse assured that it took steps to ensure user’s data could not be stolen.
However, the cybersecurity experts noticed the spill over the weekend.
David Thiel, the programme’s chief technology officer, said that the data which leaked wasn’t ‘malicious or harmful.’
Rather, the concern was that a user could decide to violate the Clubhouse’s service term as many had in mind their conversation was private.
Data spillage different from data breach
Robert Potter, an Australian researcher, explained that ‘data spillage’ was different from ‘data breach.’
The data breach was to hack into a system to steal information.
While on the other hand, data spillage is when confidential information is released to the public, especially when there was no authorised access to the information.
The spillage happened because the user had seen a way to manoeuvre the system and be in multiple rooms at once.
Meaning, the user connected Clubhouse API to his own website and could share his login with anyone in the world who wanted to listen to the audio chat from the platform.
Potter, who built Washington Post’s cyber-security operations centre, explained that it was normal for third parties to scrape data from popular apps.
“If you’re popular, people will make a third-party app that scrapes data from the service.
“For example, all the third-party programs that scrape information from Twitter,”
Clubhouse is still young and growing
Potter added that;
“I feel like there’s a bunch of users who got really enthusiastic because it’s a new thing and because you need an invitation, the conversations must be private.”
Apparently, the same experience occurred with TikTok and Zoom.
“It happened with Zoom and Tiktok – again and again, we see an app that has really high growth, it goes viral, and then they have a privacy problem, or they find lots of problems that weren’t so big a deal when they were smaller, and cyber-security comes later.”
He further explained the need for consumers to understand that their privacy on a newer platform wouldn’t be as good as the older platforms.
“If you’re going to be an early adopter and try out new apps and new smartphones, there’s going to be bugs.”
Other security concerns
Standford University Internet Observation researchers also discovered other loopholes in Clubhouse’s security system.
Users unique ID numbers and the ID numbers of Clubhouse chatroom were transmitted in plaintext; connecting IDs to the specific user’s profile.
The researchers were also concerned that the Chinese government would gain access to raw files on the Clubhouse server; as a Shanghai-based company, Agora, provide the infrastructure used to build the site’s backend.
The company is in charge of helping Clubhouse process its data traffic and audio production; while Clubhouse is responsible for its users’ experience.
However, it is alarming for some, especially with Clubhouse dependent on Agora, as the conversation’s privacy isn’t assured.
Even after enquiring from Agora, the platform’s security situation insisted that ‘it doesn’t store or share personally identifiable information.’
Also, Agora noted its commitment to making its products as secure as possible.
However, Alex Stamos, director of the SIO and Facebook Inc.’s former security chief, said:
“Clubhouse cannot provide any privacy promises for conversations held anywhere around the world.”
Clubhouse could be a public site, after all
Notably, Clubhouse is becoming a public site as the recent happening wasn’t so surprising.
Users had already been using the video and audio recording apps on their devices to capture conversations on the platform; conversations of world influencers like Elon Musk, Kevin Hart and others.
Although Clubhouse hasn’t mentioned the new ‘safeguard’ policy yet, some suggested solution may include; the platform would prevent third-party connection, limiting the number of rooms a user can access simultaneously.