Clubhouse denies it was ‘breached’ and says the data is out there for anyone to grab.
Clubhouse, the startup invitation-only chat app, is the latest social-media platform to see mammoth troves of user data collected and posted in underground forums. An SQL file containing the personal data of 1.3 million Clubhouse users has been posted in a hacker forum for free.
Names, user IDs, photo URL, number of followers, Twitter and Instagram handles, dates that accounts were created and even the profile information of who invited them to the app are among the information contained in the database, according to CyberNews, giving threat actors key information which can be used against victims in phishing and other socially engineered scams.
For its part, Clubhouse said that its users’ data being public isn’t a bug, it’s just how the platform is built.
The company isn’t supplying any other details and Clubhouse didn’t respond to Threatpost’s request for additional comment.
Clubhouse followers on Twitter were quick to note the statement points out a difference without any distinction to its exposed users.
“I fail to see what is false … ” user Benjamin Maynard responded to the Clubhouse statement.
Leaky APIs Plague Social Media
Clubhouse’s terms of service prohibit data scraping, yet its API, by its own admission, is sitting online with no protection against it.
“Clubhouse has conflicting user policies – being an invite-only platform and at the same time free-for-all user data,” Setu Kulkarni, vice president with WhiteHat Security said. “All it takes is one user to figure out the API for such large data egress of the millions of users on the platform.”
Kulkani added that these platforms need to shift to an API-first security strategy.
“Testing APIs in production is as if not more important than ever for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data,” he said.
CyberNews researcher Mantas Sasnauskas analyzed the Clubhouse data and said the privacy bug is built into the platform itself.
“The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, and it seems that token does not expire,” Sasnauskas said.
The CyberNews team added that the SQL file posted in the hacker forum only has Clubhouse-related information and doesn’t include “sensitive data like credit-card details or legal documents.”