The Clubhouse App is picking up immense popularity on iPhones and while the app does appear to be appealing with endorsements from big names in the industry, it has a glaring security flaw (a new one). It seems that the app is intentionally harvesting user phone numbers and what the app plans on doing with the numbers is not yet known, and if these numbers are safe in transit between your device and Clubhouse servers.
Clubhouse App is an app that keeps on giving (security concerns)
Clubhouse App is a massively popular new form of social media where users can gather together in virtual chatrooms with voices. The app has already been used and endorsed by Elon Musk and many other leading industry figures to give talks and more on the app.
However, as with any app, the golden rule of the smartphone world is – “if you are not paying for it, you are the product”. This saying rings true for Clubhouse once more.
Guilherme Rambo is a well-known Apple app developer. They discovered a new security flaw in Clubhouse that lets the app harvest your contacts phone numbers.
In their testing, they were able to determine that Clubhouse is only interested in phone numbers, and despite the fake contacts on the phone having other pieces of fake data such as emails, addresses, pictures, etc. Clubhouse only harvested phone numbers.
In addition, Guilherme points out how the API doesn’t use SSL Pinning, this could mean that it is possible for malicious actors to intercept highly sensitive data.
This isn’t the first time Clubhouse has been brought to scrutiny, previously we discovered that the apps rooms had little to no security with a dedicated smartphone application and even a web application readily available to deliver the audio logs of the so-called “private rooms” boasted by the app.
While the app has recently reached 8 million installs, and with only being an iPhone exclusive app, it is highly recommended you give this app a second thought as it seems to have a very casual approach to user security and the lack of respect for users privacy.