However, some concerning security flaws have just been exposed, potentially compromising the privacy of users' streams and identities. Clubhouse policies forbid anyone from recording conversations that take place on the app, and promise complete privacy—going so far as to claim that user data was inaccessible even to state-sponsored hackers. Yet this past weekend, a user (since permanently banned) was discovered streaming audio feeds from multiple chatrooms to his website. This is not a function of the app and should not have been possible.
uncovered that each user's ID number as well as chatroom IDs were being transmitted in plaintext—without any encryption whatsoever. What's more, Clubhouse IDs could be connected to user profiles and identities traced.The revelation led to deeper investigation into Clubhouse by Stanford cyber-security researchers, who further
This opens a whole Pandora's box of concerns. Because Clubhouse's back-end infrastructure provider (Agora) is located in Shanghai, the incident poses the question of whether the Chinese government could gain access to the raw audio files and confidential information. With Chinese citizens comprising a significant percentage of the app's global users, the data is often routed through Chinese servers. And unless the app's security is quickly enhanced and IDs encrypted, there may be worse cases of data breach coming.
Clubhouse is currently working with Stanford Internet Observatory to take measures and enhance its security. In any case, SIO's chief technology officer warns that due to what we know, users should consider Clubhouse chats "semi-public."