This article is reproduced from IT House
On the morning of February 22, it was reported that Clubhouse, the popular audio chat room application, had stated that it would take measures to ensure that user data would not be stolen by malicious hackers or spies. However, now, at least one cyber attacker has proved that the real-time audio of the Clubhous platform can be stolen.
Clubhouse spokesperson Reema Bahnasy said that this weekend, an unidentified user was able to transmit Clubhouse audio from "multiple rooms" to their own third-party website.
Although Clubhouse stated that it will "permanently ban" this user, and is equipped with new "security measures" to prevent such incidents from recurring. But there are still researchers who believe that the Clubhouse platform may never be able to fulfill such a promise.
On February 13, the Stanford Internet Observatory publicly raised the issue of Clubhouse’s security for the first time. The agency said late Sunday that users using the iOS app, which can only be used by invitation, should assume that all conversations will be recorded.
Alex Stamos, former head of security at Facebook and current head of SIO, said: “Clubhouse cannot provide any privacy commitments for any conversation that takes place around the world.”
Stamos and his team also confirmed that Clubhouse relies on Agora Inc., a Shanghai-based startup company, to handle most of its back-end business. Stamos said that although Clubhouse is mainly responsible for user experience, such as adding new friends and finding rooms, the platform's data traffic processing and audio production services still rely on the Chinese company.
Stamos said that Clubhouse's reliance on Agora has caused widespread privacy concerns. Agora stated that it cannot comment on Clubhouse's security or privacy agreements, and insists that it will not "store or share personally identifiable information" for any customers, and that Clubhouse is just one of them. Agora said: "We are committed to making our products as safe as possible."
Last weekend, cybersecurity experts noticed that some audio and metadata were moved from the Clubhouse platform to another website. Robert Potter, CEO of Internet 2.0 in Canberra, Australia, said: "A user has established a way to remotely share their login information with the rest of the world. The real problem is that people I thought these conversations were always private."
The behind-the-scenes behind the weekend audio theft built their own system around a JavaScript toolkit used to compile clubhouse applications. Stamos believes that they actually built the platform temporarily. SIO publicly stated that it has not yet determined the source or identity of the attacker.
Jack Cable, a researcher at SIO, said that although Clubhouse declined to explain what measures were taken to prevent similar violations, the solution may include preventing the use of third-party applications to access chat room audio without actually entering the chat room , Or just limit the number of chat rooms that users can enter at the same time.
Recently, Clubhouse raised US$100 million at a valuation of US$1 billion. Since mid-January, Agora's stock price has soared by more than 150%, and its market value is now close to US$10 billion.