Clubhouse, the invite-only audio chatting app on iPhones and iPads, has been found to have a vulnerability which would allow audio from the website to be fed into another website.
A report from Stanford Internet Observatory (SIO) states that Agora, the Chinese company that supplies Clubhouse with back-end infrastructure, would have access to users’ raw audio, a user’s unique Clubhouse ID number and the chatroom ID.
These identifiers are in plaintext, meaning they can be read with anyone should they gain access to it – and also means the information could be provided to the Chinese government.
As such, conversations “about the Tiananmen protests, Xinjiang camps, or Hong Kong protests could qualify as criminal activity”, the report continues.
The Wall Street Journal also reported that Clubhouse users from Chinese cities including Beijing and Shenzhen speaking about the treatment of China’s Uighur Muslims and the Tiananmen Square protests were suddenly shut down, and the text messages that would allow new user registrations were not being sent.
Clubhouse spokesperson Reema Bahnasy told Bloomberg said that an unidentified user was able to stream audio from Clubhouse from “multiple rooms” to another website, but they said that user had been “permanently banned” and installed new “safeguards” to stop the issue repeating. Researchers suggest this may not be enough.
“SIO analysts observed Clubhouse’s web traffic using publicly available network analysis tools, such as Wireshark. Our analysis revealed that outgoing web traffic is directed to servers operated by Agora, including ‘qos-america.agoralab.co’”, the researchers say.
“Joining a channel, for instance, generates a packet directed to Agora’s back-end infrastructure.” Unless Clubhouse implemented end-to-end encryption, something the Stanford Internet Observatory says is “extremely unlikely”, the audio could be intercepted, transcribed, and stored.
Agora told Bloomberg that it couldn’t comment on Clubhouse’s security or privacy protocols but insisted that it does not “store or share personally identifiable information”.
Former Facebook security executive Alex Stamos, who was involved in the report, tweeted that there was “undocumented use of servers” by EnjoyVC, another Chinese company; it is unclear what services the company provides, but Stamos claims that “neither Agora or EnjoyVC are listed as data sub-processors by Clubhouse.”
Agora, Clubhouse, and EnjoyVC did not respond to a request for comment from The Independent before publication.
This is not the only privacy concern that Clubhouse has had to reckon with lately. Thailand’s digital ministry has warned users in the country that speaking about illegal activities could be punishable with up to 15 years in prison.
Such infractions include a “lese majeste” law against insulting or defaming the country’s king.
Journalist Will Oremus noted that when he signed up he was being nudged to “invite my former pediatrician, barber, and a health worker who once cared for my dying father” to the app.