Clubhouse app hacked and audio reposted for all — what you need to know

(Image credit: Shutterstock)

The exclusive, invitation-only iPhone app Clubhouse is the latest big thing on the internet, but it’s not without its issues. Security researchers have already identified a serious flaw in the app’s security, one that’s since been exploited by an unknown hacker.

One user has been able to stream audio from Clubhouse rooms to their own website. The user has since been banned and the company has promised it will be boosting its security measures to make sure it doesn’t happen again. 

The hacker was discovered when cybersecurity experts spotted that audio and metadata were being transferred from Clubhouse to another site. They then discovered that the assailant had built a system around the JavaScript toolkit that is used to compile the Clubhouse app to accomplish this. 

According to Robert Potter, CEO of Internet 2.0, (via Bloomberg) “a user set up a way to remotely share his login with the rest of the world”.

Clubhouse is currently an invitation-only app for iPhone, meaning you can’t just sign up for it in the same way you would Twitter or Facebook. Presumably the hacker exploited the existing security hole as a way to let non-users listen in to conversations they don’t normally have access to, although we can’t say for sure what their actual motives were.

The security hole in question was recently uncovered by the Stanford Internet Observatory (SIO). The SIO found that personally identifiable information, including Clubhouse user and chatroom IDs, was being transmitted in plaintext, while it was also possible to get hold of raw audio files.

Initially this led to concerns over the involvement of Chinese start-up Agora, which Clubhouse relied on for its back-end systems. Should Agora be in possession of any Clubhouse data, it would legally have to hand it over to the Chinese government if asked. This information didn’t go down well and forced Clubhouse to promise more robust systems were being put into place, and that all of its data would remain on American servers. 

Obviously whatever measures Clubhouse had planned either weren’t enough, or haven’t been implemented yet. According to SIO researcher Jack Cable, Clubhouse has declined to say what additional steps it’s taken to avoid breaches like this in future.

Clubhouse only launched last year, but has recently come into the public consciousness after Elon Musk used it to interview Robinhood CEO Vlad Tenev. Its popularity has grown rapidly in the time since, though the invite system is severely restricting how many people can join. Until things change, you’re going to have to be patient. Considering the security holes that have been uncovered, it’s probably a good thing that you can get involved just yet.

Tom Pritchard
UK Phones Editor

Tom is the Tom's Guide's UK Phones Editor, tackling the latest smartphone news and vocally expressing his opinions about upcoming features or changes. It's long way from his days as editor of Gizmodo UK, when pretty much everything was on the table. He’s usually found trying to squeeze another giant Lego set onto the shelf, draining very large cups of coffee, or complaining about how terrible his Smart TV is.