Skip to main content

Clubhouse promises fix after audio insecurely streamed from third-party website

Clubhouse promises fix after audio insecurely streamed from third-party website


Company says the user has been permanently banned

Share this story

Clubhouse Photo Illustrations
Photo illustration by Jakub Porzycki/NurPhoto via Getty Images

Clubhouse has confirmed one of its users was able to siphon off audio feeds from the invitation-only app and make them accessible from a third-party website, raising security concerns about the fledgling service. A Clubhouse spokesperson told Bloomberg that “multiple rooms” were affected, and that the user behind the breach had been “permanently banned.” It said “safeguards” have been put in place to prevent a repeat, though it reportedly declined to provide specific details.

The incident is a reminder for Clubhouse users to be careful about sharing sensitive information in conversations held via the invite-only iOS app. This is especially important for any Chinese citizens or dissidents using the app, or any users concerned about state surveillance. Although Clubhouse is blocked in China, users are reportedly still able to access the service via VPNs.

A reminder to be careful sharing sensitive information in the app

This latest security incident comes a week after Clubhouse was criticized for vulnerabilities in its infrastructure. A report from the Stanford Internet Observatory found that users’ unique Clubhouse ID numbers and chatroom IDs were transmitted in plaintext, which could theoretically allow an outside observer to work out who’s talking to who on the app. Clubhouse also uses Shanghai-based Agora Inc, for its back-end infrastructure. As a Chinese company, Agora has a legal obligation to assist Chinese authorities in locating the source of audio if it’s deemed to pose a national security risk, the SIO said.

In response to last week’s report, Clubhouse said it plans to add additional encryption and blocks to prevent the service from pinging servers based in China, and that it would be hiring an external security firm to review the updates. Agora told the SIO that it only stores user audio or metadata when required for billing and network monitoring purposes. In a statement to The Verge, Agora said it “does not have access to, share, or store personally identifiable end-user data,” and that it does not route “voice or video traffic from non-China based users” through China.