Skip to main content

Someone hacked Clubhouse and spied on private rooms — here's how

Clubhouse iPhone app
(Image credit: Unsplash)

Clubhouse continues to grow in popularity, despite the app only being available for iOS devices and technically still being in development. As with all new apps starting up, there are security vulnerabilities that need to be addressed. Turns out Clubhouse had a big one.

A security researcher found a way to hack the audio chat app that could let attackers spy or disrupt private rooms without being detected. If you had two iPhones and a Clubhouse account, you could have, too.  

Discovered by Katie Moussouris, the researcher could appear as if she left a private room on the iOS app, all while still remaining in the room as an invisible user. Even worse, the vulnerability could allow attackers to still talk while being immune to moderators.

As shown in the Moussouris' demonstration, all you needed were two iPhones and a Clubhouse account. First, you would need to log in and join a room on Clubhouse on the first iPhone, and then log in on the second iPhone. From there, you would be automatically logged out on the first iPhone — sort of.

While still being logged in on the second iPhone, you wouldn't be fully logged on the first; as you would still have a live connection to the room. Once you leave the room on the second iPhone, you would still be connected via the first iPhone except you would now show up invisibly.

Moussouris breaks down the vulnerability into two categories: attackers becoming an "Eavesdropping ghost (Stillergeist)" or a "Trolling ghost (Banshee Bombing)." The former meant attackers could silently spy in any room on the app, while the latter allowed attackers to disrupt rooms by verbally harassing victims without moderators being able to control them.

While Clubhouse took time to reply to Moussouris after sending a report, the company eventually got back and the issue has now been fully resolved.

Clubhouse has run into other privacy issues since its surge in popularity back in December, including a recent "data leak". This newly discovered vulnerability shows Clubhouse still has knots to screw tight, especially since it's expected to come to Android soon.

Moussouris fully explains how she discovered the bug and the process she went through in a post. Check it out for more details.

(H/T Wired)