Audio-only social network iPhone app Clubhouse has confirmed that it experienced a data spill on Sunday.
The app allows users to join and participate in pop-up public or private audio chatrooms, promising that conversations are not recorded and have to be experienced live.
But US cyber-security researchers tweeted that a user had found a way to stream audio to another website.
Clubhouse confirmed the spill to Bloomberg, saying it banned the user.
The app firm said it had installed new “safeguards” to prevent conversations from being streamed again.
The BBC has approached Clubhouse for comment.
Stanford University’s Internet Observatory reported the incident first, but the programme’s chief technology officer David Thiel stressed that the data spill was not malicious or a “hack”. Instead, he said it was more that a user had decided to violate Clubhouse’s terms of service.
Australian cyber-security researcher Robert Potter, who built the Washington Post’s cyber-security operations centre, agrees.
He explained that a “data spillage” was different to a “data breach”, in that data breaches are deliberate and usually carried out by someone hacking into a system to steal data.
A data spillage, on the other hand, is an incident whereby confidential information is released into an environment that is not authorised to have access to the information.
According to him, the incident occurred because a user had realised that it was possible to be in multiple chatrooms at once.
By understanding how this worked, the user could connect a Clubhouse API to his website, and essentially “share” his login remotely with anyone on the internet who wanted to listen to the audio chats from the app.
“If you’re popular, people will make a third-party app that scrapes data from the service, for example all the third-party programs that scrape information from Twitter,” Mr Potter told the BBC.
Security concerns over Clubhouse
Sunday’s incident comes after Clubhouse made assurances that user data couldn’t be stolen by cyber-criminals or state-sponsored hackers, in response to a warning from Stanford University’s Internet Observatory, which is headed by Facebook’s former security chief Alex Stamos.
Stanford’s cyber-security researchers discovered several security flaws, including the fact that the users’ unique ID numbers and the ID numbers of the Clubhouse chatrooms they created were being transmitted in plaintext and it could be possible connect IDs to specific user profiles.
The researchers were also concerned that the Chinese government could gain access to the raw audio files on Clubhouse’s servers, because its back-end infrastructure is provided by a real-time engagement API firm called Agora, which has offices in both Shanghai and San Francisco.
When Agora went public on Wall Street in June, it mentioned in its filing with the US Securities and Exchange Commission (SEC) that in China it would be required “to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations”.
Stanford Internet Observatory informed Clubhouse about the security flaws and on 12 February said that it was working with the app firm to improve its security.
‘Consider Clubhouse chats to be semi-public’
While it might sound alarming to hear that audio conversations on Clubhouse can be taken out of the app, this isn’t exactly new.
Users are already using the video and audio recording functions on their devices to capture conversations had by celebrities like Elon Musk and Kevin Hart, and uploading them to YouTube.
Again, this is against the app’s terms of service, but it does mean that no-one should expect their conversations to actually be private, warns Mr Thiel.
“Consider Clubhouse chats to be semi-public, given issues with Agora and the fact we all have microphones,” he tweeted.
Mr Potter thinks the problem is more that Clubhouse is young and still immature as a service.
“I feel like there’s a bunch of users who got really enthusiastic because it’s a new thing and because you need an invitation, the conversations must be private,” he said.
“It happened with Zoom and Tiktok – again and again, we see an app that has really high growth, it goes viral, and then they have a privacy problem, or they find lots of problems that weren’t so big a deal when they were smaller, and cyber-security comes later.”
He added that consumers needed to be realistic about what services do with their data.
“I think people just need to realise that the privacy and cyber-security of newer social media platforms isn’t going to be as good as mature ones,” said Mr Potter.
“If you’re going to be an early adopter and try out new apps and new smartphones, there’s going to be bugs.”