It has been reported that chatroom app Clubhouse has a critical security flaw which allows an unidentified user to stream Clubhouse audio feeds from “multiple rooms” into their own third-party website. The company responded by permanently banning the unidentified user and have installed new security controls to prevent the flaw.
Experts Comments
Clubhouse is still in its early phase and like with many applications, privacy of its users is often an afterthought. Similar to when Zoom usage went through the roof, Clubhouse is experiencing a huge uptake and learning as it goes. Far too often security and privacy of a start up’s userbase is seen as not as important as growth of the company. However, without the right protection in place there is arguably no longevity.
Companies need to do more in investing the right amount of resources
.....Read MoreClubhouse is currently riding a wave of popularity and as it works to rapidly scale to meet demand, the company may have been less focused on user security. Its ‘by invite only’ model may also create a furtive breeding ground for future cyber-criminal activity, such as fake ‘invitation links’ directing users to malicious downloads.
As the line blurs between the use of devices for personal and work use, businesses should cautiously examine which apps employees use on work devices to understand
.....Read MoreThe Clubhouse data spillage incident looks like yet another example of security based purely on authenticating the user. As we have seen over and over again, you can't keep scripts and bots out of your business unless you know what you are communicating with as well as who. It is therefore essential to authenticate both the user and the mobile app before granting access to your platform.
The data leakage from audio chat app Clubhouse appears to hinge on a lack of proper authentication and a lack of end-to-end encryption. Add in the challenge of relying on 3rd party infrastructure and potentially their security as well, and it is easy to understand how something like this can happen. To be secure and private, applications must have their security baked in from the start. It needs to be embedded at every level, from the communications protocols up through the user interface.
.....Read MoreClubhouse is a platform for social communication, most risks associated with the platform that are raised relate to privacy, essentially something the platform already have issues with managing and addressing according to amongst others the German data protection authorities.
Personally, I have not spent an ounce of effort looking into the platform and how it works, but I think we can all agree that there is room for doubt that for a company that forgot to address GDPR in its terms and
.....Read MoreDot Your Expert Comments
Only for registered and approved experts. Please register before providing comments. Register here
Despite the exclusivity of Clubhouse being available on an invite-only basis and limited to iOS devices, its popularity has surged over the last year. Therefore, it is unsurprising to see that individuals have found a way to reverse engineer the Clubhouse API and subsequently publish open source tools that can be used to extract audio from rooms and ultimately develop a clone of the app for Android devices.
In this case, the user's intentions were clear: they wanted to use the application
.....Read MoreDespite the exclusivity of Clubhouse being available on an invite-only basis and limited to iOS devices, its popularity has surged over the last year. Therefore, it is unsurprising to see that individuals have found a way to reverse engineer the Clubhouse API and subsequently publish open source tools that can be used to extract audio from rooms and ultimately develop a clone of the app for Android devices.
In this case, the user's intentions were clear: they wanted to use the application without the need for an iOS device. However, there could be other more nefarious individuals out there who might snoop in on conversations and/or speak as ghost users (not visible in a room, but able to chat) in both public and private rooms, infringing on what legitimate users believe is a limited audience.
There is also the likelihood of vulnerabilities lingering throughout the platform that have yet to be discovered and disclosed. We hope that Clubhouse will introduce an official vulnerability disclosure process so that researchers can help Clubhouse secure its growing platform and, ultimately, its users.
Linkedin Message
@Satnam Narang, Senior Research Engineer, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Despite the exclusivity of Clubhouse being available on an invite-only basis and limited to iOS devices...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/security-a-glaring-issue-for-chatroom-app-clubhouse-after-conversations-were-breached
Facebook Message
@Satnam Narang, Senior Research Engineer, provides expert commentary for "dot your expert comments" at @Information Security Buzz.
"Despite the exclusivity of Clubhouse being available on an invite-only basis and limited to iOS devices...."
#infosec #cybersecurity #isdots
https://informationsecuritybuzz.com/expert-comments/security-a-glaring-issue-for-chatroom-app-clubhouse-after-conversations-were-breached