Clubhouse Exclusivity Applies to Membership, Not Data
There’s a certain irony that an invitation-only social media platform would find a hacker posted data on 1.3 million of its users on an online forum.
But that’s exactly where Clubhouse found itself over the weekend; proffering by way of explanation that user profile data is accessible by virtually anyone using its app or through its API. Apparently, then, Clubhouse’s exclusivity applies only to onboarding new members, but not their information – names, number of followers and user IDs.
“Clubhouse has conflicting user policies – being an invite-only platform and, at the same time, free-for-all user data,” said Setu Kulkarni, vice president, strategy, at WhiteHat Security.
The company assured members that the site had “not been breached or hacked,” in what can hardly be called a resounding endorsement of top-notch privacy practices. “The data referred to is all public profile information from our app, which anyone can access via the app or our API,” Clubhouse tweeted in response to reports that the SQL database on the hacker forum was breached.
Clubhouse is not alone as a target for data leaks, of course. Just days ago, Facebook and Linkedin faced their own leaked data problem when information scraped from more than one billion profiles showed up for sale on an online forum.
“It’s clear that there is a bigger problem with API incidents than just these three isolated events,” said Michael Isbitski, technical evangelist at Salt Security. “While social media companies are taking the heat right now because of the sensitivity of data they keep and resulting privacy impacts, I don’t expect that this will be the last of these sort of scraping incidents.”
APIs, Isbitski pointed out, “are regularly the vehicle for functionality and data and social media companies inherently design their platforms to be consumable, powering much of it with APIs.” Attackers are well aware of that, and continue to target APIs in scraping attacks, repurposing publicly available data for malicious purposes.
But when all development “has now shifted to API-first development, then why hasn’t security also shifted to API-first security?” Kulkarni asked.
“Arguably, making APIs public has a much lower bar than making the application public [online or through app stores],” he explained, so it only takes a single user “to figure out the API for such large data egress of the millions of users on the platform.”
It’s also not the first time that Clubhouse’s wonky privacy practices have come under scrutiny. In January, privacy advocate Alexander Hanff called out Clubhouse for not using end-to-end encryption (e2ee) and other privacy sins. “As with all modern social media platforms focused on sending messages, Clubhouse uses e2ee right[?] … [W]ell … no is the answer here,” he wrote in a LinkedIn blog post.
The “Personal Data We Collect” section of the company’s privacy policy says that audio is collected while a room is live “solely for the purpose of supporting incident investigations,” and is quickly deleted if no incident is reported or after an investigation has been completed, Hanff noted.
“So, if they are recording the conversations in the room for investigative purposes, clearly the audio messages are not end-to-end encrypted,” Hanff wrote, which represents a “big problem” in complying with EU privacy regulations. GDPR, he pointed out, “requires privacy by design and default,” but Clubhouse’s ability “to record all conversations … doesn’t meet this legal requirement.”
There are many troubling privacy issues at Clubhouse that run afoul of EU regulation – from the collecting of content, communications associated with sign-up, messaging and communicating with other members to the use and storage of data – that Hanff said “it would basically require copying and pasting 80% of their privacy policy” to explain.
For those tasked with securing corporate assets, leaks of user data from platforms like Clubhouse and Facebook are troubling. “There are countless services that connect to social media platforms as a form of validation and integration,” said Hank Schless, senior manager, security solutions, at Lookout. “You need to know what services the apps on employee devices connect to in order to have proper visibility into data access policies. In order to protect your enterprise data, you may want to implement policies that block apps that integrate with social media platforms.”
Kulkarni urges better testing of APIs in production, calling it “more important than ever, for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data by malintending actors.”