Clubhouse security gaps: China is listening

Another scandal about the data security of the Hype app. Clubhouse uses features from the Chinese startup Agora.io, with which user conversations can be specifically recorded.

Several IT security researchers have examined the drop-in audio app more closely with regard to data security. The result: Not only can specific user conversations be recorded and saved, but information can also be exchanged with China via Clubhouse.

“StartAudioRecording”: Hacker group can easily record conversations via the SDK

The Hacker group “Zerforschung” found outthat Clubhouse uses audio features from the Chinese startup Agora.io for its service. These are based on tokens that enable users to enter an audio chat room within the app. When examining the SDK (Software Development Kit), the experts found that these tokens generated on the server can also be used to execute the “StartAudioRecording” command. “Zerforschung” writes in the report:

Clubhouse uses tokens. This token is generated on the server side, at Clubhouse we get this when we call the “join_channel” or “create_channel” endpoint. […] How practical, there is “startAudioRecording” to start a recording. We can even choose the quality of the recording.

Also practical, according to the hacker group: Agora.io uses the same user IDs as Clubhouse, so that the call recordings can be assigned to automatic users.

Data exchange with China: Clubhouse stores user information for an indefinite period

Another examination of the „Internet Observatory“ der Stanford University (SIO) confirmed that the back-end infrastructure used for the Hype App comes from Agora.io. The problem is that the China-based startup with which the Clubhouse works is obliged to provide the Chinese government with information about the users, should they request the data. In China itself, the clubhouse has already fallen victim to censorship.

Since the scientists also discovered that the clubhouse IDs of the users and the IDs used in the chat room are transmitted in plain text, an exact allocation of the conversation recordings is uncomplicated. The SIO continues:

Clubhouse’s Privacy Policy states that user audio will be “temporarily” recorded for the purpose of trust and safety investigations [..] The policy does not specify the duration of “temporary” storage. Temporary could mean a few minutes or a few years. The Clubhouse privacy policy does not list Agora or any other Chinese entities as data sub-processors. […] The Chinese government could, however, legally demand audio (or other user data) stored in China […] .

Clubhouse meanwhile reacted to the security holes. The company behind the hype app – Alpha Exploration Co. – said they wanted to expand data encryption.

New features instead of data security? Clubhouse expands the room size

Clubhouse has already been criticized for significant data protection gaps. Various legal and IT experts told OnlineMarketing.de that the app was not GDPR-compliant. The Hamburg Commissioner for Data Protection and Freedom of Information, Prof. Dr. Caspar, explained:

The entire data protection architecture of the Clubhouse app shows that the service has evidently grown too quickly and does not meet the requirements of the GDPR.

Despite the numerous shortcomings, the app is growing and other social media platforms are following the audio-only trend. Facebook is already working on a clubhouse copy and Twitter also wants to take off with Spaces in this area. The hype app, which can currently only be used on the iPhone, is currently working on new features. Reverse engineering expert Jane Machun Wong discovered that Clubhouse had expanded the size of the rooms.

It remains to be seen how the drop-in audio app will continue to develop in terms of features and the improvement of data security. What is certain, however, is that Clubhouse is already working on an Android version in order to be accessible to an even larger audience.

Find out now what is behind cross-channel communication and secure 10 tips on how to retain your customers in the long term!

Download now for free


Source: OnlineMarketing.de by onlinemarketing.de.

*The article has been translated based on the content of OnlineMarketing.de by onlinemarketing.de. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!