Clubhouse vulnerabilities could have allowed for 'silent lurkers'
From Luta Security's blog post:
Gather around folks, it's hacker story time, and today I want to tell the tale of how I hacked Clubhouse. It's a new social app that’s rocketed to popularity by facilitating live, audio-only group chats in virtual rooms. The app's viral popularity has vaulted its company to multiplatinum unicorn status. Recent valuations peg Clubhouse to be worth upward of $4B.
With a little bit of probing, I was able to uncover some new problems (now fixed) in the app with serious security and privacy implications: My attack made it possible to appear as if I had left a room, while actually maintaining full bidirectional voice capabilities in that room as an invisible user, immune to moderator tools.
The bug discoveries I made and the ensuing process of collaborating with Clubhouse to get them fixed should offer many startups some really valuable lessons. Not just technical ones—though I think the details of the attack are pretty interesting—but more importantly, some real-world lessons on the common missteps that companies make in running vulnerability disclosure programs and in creating bug bounties.