An attacker was able to siphon audio feeds from multiple Clubhouse rooms

An attacker demonstrated this week that Clubhouse chats are not secure, he was able to siphon audio feeds from “multiple rooms” into its own website

While the popularity of the audio chatroom app Clubhouse continues to increase experts are questioning the security and privacy level it offers to its users.

Recently the company announced it is working to enhance the security of its platform and to avoid threat actors to access audio chats. Unfortunately, a group of attackers has proved the platform’s live audio can be siphoned.

Over the weekend, an unidentified attacker was able to stream Clubhouse audio feeds from multiple rooms into their own third-party website.

In response to the malicious activity, the company permanently banned the account used by the attacker and deployed new “safeguards” to prevent similar attacks in the future, but ClubHouse was not able to ensure that it will not happen again.

Representatives of the Stanford Internet Observatory declared that users should assume all conversations are being recorded by the company, a circumstance that raises concerns because they have no information on how the conversations are stored.

“Clubhouse cannot provide any privacy promises for conversations held anywhere around the world,” said Alex Stamos, director of Stanford Internet Observatory and former Facebook CSO.

The privacy questions raised is not limited to way data are stored, experts like Stamos pointed out that Clubhouse implements back-end operations with the support of the Chinese start-up Agora Inc..

“Clubhouse’s dependence on Agora raises extensive privacy concerns, especially for Chinese citizens and dissidents under the impression their conversations are beyond the reach of state surveillance, Stamos said.” reported Bloomberg.

Agora responded to the privacy concerns saying that it doesn’t store personally identifiable information of its clients.

Over the weekend, cybersecurity expert Robert Potter noticed a user found a way to remotely share his login with a third-party site.

Lets talk about the Clubhouse ‘hack’ which wasn’t.A user set up a way to remotely share his login with the rest of the world. The real problem was that folks thought these conversations were ever private. 1 https://t.co/H4f5G8IeMq pic.twitter.com/0y18WmNdth— Robert Potter (@rpotter_9) February 21, 2021The measures implemented by the company were not publicly disclosed, it likely introduced some limitation in the use of third-party applications to access chatroom audio without actually entering a room. Another mitigation could consist of limiting the number of rooms a user can enter simultaneously, as suggested by Jack Cable from a Stanford Internet Observatory.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Clubhouse)

The post An attacker was able to siphon audio feeds from multiple Clubhouse rooms appeared first on Security Affairs.