Clubhouse has been one of the success stories of the COVID-19 campaign. While just a standard chat app on the surface, Clubhouse differentiates itself as an invitation-only solution. That helps users have more control over security during remote work and education sessions. Clubhouse’s success as meant several rival apps are integrating similar abilities.

However, there are concerns there could be a bug in the platform allowing user information to appear online. Still, Clubhouse denies this is the case.

Massive amounts of data collected from users has been posted on hacking forums. Specifically, a SQL file with personal information related to 1.3 million Clubhouse users. It’s available for free and included user IDs, real names, photos, and social media handles.

Advertisement

CyberNews reports threat actors could leverage the data to engage in phishing campaigns. Clubhouse denies there is a bug and says the platform is simply built like that. In a Twitter post, the company said:

“This is misleading and false. Clubhouse has not been breached or hacked. The data referred to is all public profile information from our app, which anyone can access via the app or our API.”

What’s the Difference?

Social media responders were quick to point out Clubhouse did not offer an explanation on what is false. In other words, the data is available online so what difference does it make how it got there? Clubhouse allows its API to sit open online, meaning anyone can access the information. That means the company’s no data scraping policy is pointless.

“Clubhouse has conflicting user policies – being an invite-only platform and at the same time free-for-all user data,” Setu Kulkarni, vice president with WhiteHat Security points out. “All it takes is one user to figure out the API for such large data egress of the millions of users on the platform.”

CyberNews researcher Mantas Sasnauskas says there is a privacy bug that is built into the app:

“The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire,” Sasnauskas said.

They are suggesting the open API itself is a bug that allows threat actors to use Clubhouse user data for nefarious means.

Tip of the day:

When Windows 10 runs into serious problems, it’s not rare to run into startup problems. Corrupted Windows files, incorrect system configuration, driver failure, or registry tweaks can all cause this issue.

Using Windows 10 startup repair can fix boot issues caused by the most prevalent issues. Though it may seem that all is lost when you run into startup problems, it’s important to try a Windows 10 boot repair so you can at least narrow down the source of the issue. If it doesn’t work, you may have to reinstall the OS or test your hardware.

Advertisement