“Basically I’m going to keep talking to you, but I’m going to disappear, ”longtime security researcher Katie Moussouris told me in a private room at the Clubhouse in February. And then his avatar disappeared. I was alone, or at least that’s how it seemed to me. “This is it,” she said from the digital afterlife. “That’s the bug. I’m a fucking ghost.”
It has been over a year since the Clubhouse audio social network debuted. At that time, his explosive growth came with a panoply of security, privacy and abuse issues. This includes a newly disclosed pair of vulnerabilities, discovered by Moussouris and now fixed, that could have allowed an attacker to hide and listen in a Clubhouse room undetected, or to verbally disrupt a discussion beyond a moderator’s control.
The vulnerability could also be exploited without virtually any technical knowledge. All you needed were two iPhones with Clubhouse installed and a Clubhouse account. (Clubhouse is still only available on iOS.) To initiate the attack, you must first log into your Clubhouse account on phone A, then join or start a room. Then you log into your Clubhouse account on phone B – which automatically logs you out on phone A – and join the same room. This is where the problems started. Phone A would display a login screen, but not completely log you out. You would still have a live connection to the room you were in. Once you ‘left’ that same room on Phone B, you would disappear, but you could maintain your shadow connection on Phone A.
In the screen on the right, Moussouris was gone, but his Clubhouse ghost remained.
Screenshot: Lily Newman via ClubhouseMoussouris also found that a hacker could have launched the attack, or variations of it, using more technical mechanisms. But the fact that it can be done so easily underlines the importance of the loophole. Moussouris calls the eavesdropping attack “Stillergeist” and the interrupt attack “Banshee Bombing”.
Since the vulnerability existed for any room, she argues that the weakness represented the worst case scenario for Clubhouse, as the platform works to address issues of privacy, harassment, hate speech and other abuses. . Not knowing who is listening to a conversation, or having to close a room because you can’t stop an invisible person from saying what they want, are nightmarish situations for an audio chat app.
After Moussouris submitted her findings to the company in early March, she said Clubhouse was not immediately responsive and it took a few weeks to fully resolve the issue. In the end, Clubhouse explained to Moussouris that he had fixed two bugs related to the discovery. A fix ensured that all ghost participants were always silent and couldn’t hear a room even if they were hovering in it, essentially trapping them in Clubhouse Purgatory. The second bug fix fixed a cache display issue so that users are no longer completely logged out on an old device if they log in to another. Moussouris says she hasn’t fully validated the fixes herself, but the explanation makes sense.