Sunday, February 21, Clubhouse audio chats have been hacked. Chances are all audio is leaking out to China.
This breach happens just a week after Clubhouse, a popular app where users communicate by sending voice messages, announced it was taking steps to ensure user data couldn’t be stolen.
Apparently, someone hijacked multiple Clubhouse audio feeds and fed them into their own website, said Reema Bahnasy, a spokeswoman for Clubhouse.
Clubhouse was prompt to permanently ban that attacker’s account and install new safeguards to prevent similar hacks. Even so, its users can’t assume their conversations aren’t being recorded.
“Clubhouse cannot provide any privacy promises for conversations held anywhere around the world,” said Alex Stamos, Facebook’s former security chief and director of the Stanford Internet Observatory that first raised security concerns about Clubhouse on February 13.
At the time, SIO alerted Clubhouse that they observed metadata from the app’s chatroom “being relayed to servers we believe to be hosted” in China. Agora is legally required by China’s cyber-security laws to assist the Chinese government in locating audio should it be a matter of national security.
Clubhouse relies on a Shanghai-based startup called Agora for its back-end operations. This means the Chinese company processes all Clubhouse’s data traffic and audio production. While Clubhouse is responsible only for user experience like adding new friends.
Agora refused to comment on Clubhouse’s security or privacy protocols and said they do not store or share personally identifiable information of Clubhouse’s users. “We are committed to making our products as secure as we can,” the company stated.
The hacker or hackers behind the weekend data breach used a custom-built JavaScript toolkit to compile the Clubhouse application. “They effectively jury-rigged the platform,” said Stamos. He also said they couldn’t determine the origin of the attack nor the attackers’ identities.
