Clubhouse - cybersecurity risks for companies

29 March 2021

Clubhouse is the new fashionable social network, to which everyone wants access. Basically, Clubhouse is an app – only available for iPhone, at the time of writing – through which users can use voice chat and enter various chat rooms in order to interact with other users. As a user, you can create your own chat room or join other available rooms.

Sounds simple and hassle-free, right? However, private investigators and IT professionals will tell you that all social networks are subject to fraud and may have privacy and/or security issues.

From a marketing point of view, any new social network is a good opportunity to promote itself for a company. Brands invest human, financial and time efforts and resources in building a presence on social networks, but it has many times been proven that being an early adopter is not always the best solution. There have been many platforms announced as the next big thing, the next big innovation in social networking; Google Plus, Google Wave, Google Buzz, Vine, iTunes Ping, Diaspora, Yik Yak or Orkut are just a few examples. Influencers and businesses wanted to join these phenomena and be part of the conversation, precisely so as not to miss the train of innovation and to be present on any platform that can become relevant to their audience. However, many were failed experiments, with most of the platforms listed above being withdrawn from the market.

At the moment, we do not know how the new Clubhouse social network will evolve or whether it is worth the effort to invest in building a presence in this environment. However, as private investigators with experience in cybersecurity and dismantling Internet fraud, we are interested in exploring the Clubhouse phenomenon and investigating the risks of fraud and security vulnerabilities to which users of this audio social network are exposed, whether conscious or not.

A first concern would be the security of the platform. In February 2021, a Clubhouse user managed to hijack several chat rooms and stream live audio to another site. A Clubhouse spokesman told Bloomberg that the user had been removed from the platform and that precautionary measures had been taken.

Another incident, this time located in China, is related to a user who created a code that allowed those who did not receive an invitation to Clubhouse to listen to the conversations on the platform and then posted it on GitHub. In the meantime, the code was blocked, but clones of it later appeared.

Researchers at the Stanford University Internet Observatory have discovered several security breaches of Clubhouse , including the fact that the app user ID and the ID of the created chat rooms were transmitted in text format, without any encryption, and could be easily accessed by illicit elements. The researchers were also concerned that the Chinese government could have access to the conversations on the platform, as the API is owned by Agora, which has offices in both San Francisco and Shanghai. Last but not least, the Chinese government could have direct access to the audio files recorded after the chat sessions in the Clubhouse.

Therefore, here are some recommendations for using Clubhouse:

  • The most correct way to use the application is by understanding and accepting that the platform is not a private environment and that the discussions held here could become public at any time.
  • Both the terms and conditions of use of the application and the information to which users provide access should be read and understood by each user, not just ticked in blind in order to enter the app. Ideally, a specialist in cybersecurity and/or anti-fraud investigations within the company studies the Clubhouse policies and then informs the organization about the app’s vulnerabilities and the possible repercussions that may result from its use.
  • Selling Clubhouse invitations can be a source of fraud, as can invitations on the app for Android. At the moment, Clubhouse offers support exclusively for iPhone, so any application that offers access to Android is neither official nor secure.
  • Such applications have not yet implemented a user verification system. For this reason, we recommend that you carefully verify the identity of the people you are talking to and make sure that the person whose identity is being used is really behind the username.
  • Many people are in a hurry to give Clubhouse access to their phonebook in exchange for the opportunity to invite other users. The invite option does not work if the Clubhouse user does not provide access to the address book, but this agreement is a violation of privacy principles. If a user does not want the application to collect all the contact information in the phonebook, the user may refuse access.
  • We recommend companies looking for technical solutions for virtual meetings to choose the safest solutions, not the fashionable ones. Business information is confidential, not public.

TrendMICRO conducted a study on cybersecurity risks for voice-based social networks, from which we bear in mind the following conclusions:

  • Traffic and conversations interception can be done quite easily by hackers.
  • Impersonating a public figure and using deepfake voice (voice cloning) is possible.
  • Recording conversations and using them in fraudulent acts, including on Clubhouse, by creating fake accounts and using these records for illicit purposes, may occur.
  • Harassment and blackmail of a person on the Clubhouse platform is possible.
  • Illegal methods of receiving an invitation to this service are being used.

SPIA private investigators recommend caution in the use of all social networks and the treatment of any information provided as public, not private.