Skip to main content

Clubhouse vulnerabilities could have allowed for 'silent lurkers'

posted onApril 22, 2021
by l33tdawg
PC Mag
Credit: PC Mag

From Luta Security's blog post:

Gather around folks, it's hacker story time, and today I want to tell the tale of how I hacked Clubhouse. It's a new social app that’s rocketed to popularity by facilitating live, audio-only group chats in virtual rooms. The app's viral popularity has vaulted its company to multiplatinum unicorn status. Recent valuations peg Clubhouse to be worth upward of $4B.

With a little bit of probing, I was able to uncover some new problems (now fixed) in the app with serious security and privacy implications: My attack made it possible to appear as if I had left a room, while actually maintaining full bidirectional voice capabilities in that room as an invisible user, immune to moderator tools.

The bug discoveries I made and the ensuing process of collaborating with Clubhouse to get them fixed should offer many startups some really valuable lessons. Not just technical ones—though I think the details of the attack are pretty interesting—but more importantly, some real-world lessons on the common missteps that companies make in running vulnerability disclosure programs and in creating bug bounties.

Source

Tags

Security

You May Also Like

Recent News

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th

Thursday, June 6th

Wednesday, June 5th