Clubhouse chats were available offline when they should have been deleted following security breach

Back-end infrastructure provided by a Chinese company could mean Beijing could listen to Clubhouse conversations

Adam Smith
Tuesday 23 February 2021 09:07 EST
Comments
(AFP via Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Clubhouse, the invite-only audio chatting app on iPhones and iPads, has been found to have a vulnerability which would allow audio from the website to be fed into another website.

A report from Stanford Internet Observatory (SIO) states that Agora, the Chinese company that supplies Clubhouse with back-end infrastructure, would have access to users’ raw audio, a user’s unique Clubhouse ID number and the chatroom ID.

These identifiers are in plaintext, meaning they can be read with anyone should they gain access to it - and also means the information could be provided to the Chinese government.

As such, conversations “about the Tiananmen protests, Xinjiang camps, or Hong Kong protests could qualify as criminal activity”, the report continues.

The Wall Street Journal also reported that Clubhouse users from Chinese cities including Beijing and Shenzhen speaking about the treatment of China’s Uighur Muslims and the Tiananmen Square protests were suddenly shut down, and the text messages that would allow new user registrations were not being sent.

Clubhouse spokesperson Reema Bahnasy told Bloomberg said that an unidentified user was able to stream audio from Clubhouse from “multiple rooms” to another website, but they said that user had been “permanently banned” and installed new “safeguards” to stop the issue repeating. Researchers suggest this may not be enough.

“SIO analysts observed Clubhouse’s web traffic using publicly available network analysis tools, such as Wireshark. Our analysis revealed that outgoing web traffic is directed to servers operated by Agora, including ‘qos-america.agoralab.co’”, the researchers say.

“Joining a channel, for instance, generates a packet directed to Agora’s back-end infrastructure.” Unless Clubhouse implemented end-to-end encryption, something the Stanford Internet Observatory says is “extremely unlikely”, the audio could be intercepted, transcribed, and stored.

Agora told Bloomberg that it couldn’t comment on Clubhouse’s security or privacy protocols but insisted that it does not “store or share personally identifiable information”.

Former Facebook security executive Alex Stamos, who was involved in the report, tweeted that there was “undocumented use of servers” by EnjoyVC, another Chinese company; it is unclear what services the company provides, but Stamos claims that “neither Agora or EnjoyVC are listed as data sub-processors by Clubhouse.”

Agora, Clubhouse, and EnjoyVC did not respond to a request for comment from The Independent before publication.

This is not the only privacy concern that Clubhouse has had to reckon with lately. Thailand’s digital ministry has warned users in the country that speaking about illegal activities could be punishable with up to 15 years in prison.

Such infractions include a “lese majeste” law against insulting or defaming the country’s king.

Clubhouse was also found to use contact information from users’ phones to invite others; even if you reject the app’s request, these lists and recommendations will still be pushed as users’ mobile numbers may have been uploaded by someone else who gave Clubhouse access to their contacts.

Journalist Will Oremus noted that when he signed up he was being nudged to “invite my former pediatrician, barber, and a health worker who once cared for my dying father” to the app.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in