Over the past few weeks, the Clubhouse social network has become one of the most discussed not only in the world, but also in Runet: Elon Musk invites Vladimir Putin to chat, Mark Zuckerberg ordered the creation of a similar social network, and Vladimir Solovyov threatens to tear off the heads of bionicles because of getting banned.
Nevertheless, this resounding success threatens to turn into an absolute failure, because, along with the attention of the general public, the network has aroused the interest of information security specialists. And, as it turned out, the interest is not unfounded.
Transfer of personal data to servers in China
A team from Stanford University’s Internet Observatory has discovered a connection between a social network and a Shanghai-based startup. As it turned out, Clubhouse uses the infrastructure of the Agora platform for real-time communication, which alerted the researchers. Moreover, in the privacy policy of the social network there is no word about cooperation with the mentioned startup.
A more detailed analysis led to significant results – unique user IDs and rooms are sent to the Agora servers unencrypted, and the servers receive data regardless of the physical location of users. This was discovered during a check in which only US Clubhouse users were in the room.
Based on the research data, experts suggest that in addition to user information, Agora may have access to audio recordings of conversations, but they were unable to confirm this.
Clubhouse’s reaction to the study was not long in coming: management assures that the privacy of conversations is one of the priorities of the social network, while not recognizing security problems, preferring the wording "areas for improvement". Nevertheless, the company promised to fix the problems in a short time, and to hire independent information security experts to check.
It would seem that the incident has been settled – the problems have been eliminated, the audio recordings of conversations are safe … And indeed, it only seemed so.
Hackers managed to record conversations in the Clubhouse rooms
Of course, any advanced user of a social network can record a conversation in the room in which he is located – there are enough applications for recording conversations. The hackers went further: instead of recording a conversation in a separate room, they managed to bring the audio stream from several rooms simultaneously to their web resource.
Almost simultaneously with them, a Chinese user wrote a code that allows anyone to listen to dialogues in the Clubhouse without an invitation, and posted it on GitHub.
As in the previous case, Clubhouse worked quickly: the vulnerabilities were fixed in just a day, and the user who outputted the audio stream was banned. However, it is not known how long these vulnerabilities could be exploited by other hackers.
It is noteworthy that the new scandal provoked more discussion: the chief executive of data protection consulting firm PIX LLC said that Clubhouse did not pay due attention to the privacy policy – because the application collects not only personal information, but also a list of contacts. Moreover, Clubhouse requires access to Twitter account information, but does not explain this need in any way.
As a result, specialists have put forward many claims to the protection of user data and the confidentiality of conversations, but most of them do not pose a significant danger. But the interest that attracted Clubhouse does not go in vain, and enthusiasts create more and more new ways to circumvent the protection of the social network.
Telegram bot for recording conversations in Clubhouse
The other day, an enthusiast introduced a telegram bot that allows you to record conversations in the Clubhouse. Working with it is extremely simple: you need to send a link to an active chat room, after which the bot will join the conference and start recording. At the end of the conversation, the bot will send back one or more audio tracks with a recording of the conversation.
The developer claims that the bot does not violate the rules of the social network, since it warns of the need for written consent to record the conversation from all participants, but it does not specify how the bot gets access to the chat room. Well, over time we will find out how much Clubhouse representatives share the enthusiast’s opinion.
Clubhouse: safe or not?
It is not yet possible to unequivocally answer this question – the social network has only gained popularity, and it is only to be tested by time. As with any issue, there are two sides to the coin: on the one hand, there are many questions not only about privacy policy, but also about actual data protection; on the other hand, the company promptly responds to emerging problems and solves them in a short time.
Based on the available information, Clubhouse can be used for leisure – to listen to interesting speakers, and maybe even participate in a conversation on issues of interest. At the same time, it is not recommended to use this social network for professional activities, because despite the quick resolution of emerging problems, there are still enough of them – which means that the company cannot guarantee the security of your conversations or data.