Clubhouse, the start-up invitation-only chat app, is the latest social-media platform to see mammoth troves of user data collected & posted in underground forums. An SQL file containing the personal data of 1.3m Clubhouse users has been posted in a hacker forum for free.
Clubhouse denies it was ‘breached’ & says the data is out there for anyone to grab.
Names, user IDs, photo URL, number of followers, Twitter & Instagram handles, dates that accounts were created & even the profile information of who invited them to the app are among the information contained in the database, according to Cyber News, giving threat players key information which can be used against victims in phishing & other socially engineered scams.
For its part, Clubhouse said that its users’ data being public is not a bug, it is just how the platform is built:
The company is not supplying any other details & did not respond to requests for additional comment.
Clubhouse followers on Twitter were quick to note the statement points out a difference without any distinction to its exposed users.
“I fail to see what is false … ” user Benjamin Maynard responded to the Clubhouse statement.
Clubhouse’s terms of service prohibit data scraping, yet its API, by its own admission, is sitting online with no protection against it.
“Clubhouse has conflicting user policies – being an invite-only platform & at the same time free-for-all user data,” Setu Kulkarni, VP with White Hat Security observed. All it takes is 1 user to figure out the API for such large data egress of the millions of users on the platform.”
Kulkani added that these platforms need to shift to an API-first security strategy.
“Testing APIs in production is as if not more important than ever for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data,” he suggested.
Cyber News Researcher Mantas Sasnauskas analysed the Clubhouse data & said the privacy bug is built into the platform itself.
“The way the Clubhouse app is built lets anyone with a token, or via an API, to query the entire body of public Clubhouse user profile information, & it seems that token does not expire,” Sasnauskas observed.
The Cyber News team added that the SQL file posted in the hacker forum only has Clubhouse-related information & does not include “sensitive data like credit-card details or legal documents.”
Denying the Problem
In the past 2 weeks, 533m Facebook users’ data was leaked, LinkedIn saw scraping of 500m people’s data & now Clubhouse has given up the information on another 1.3m people.
As Politico Europe’s Nicholas Vinocur pointed out, they have all followed an eerily similar disclosure playbook: deny it ever happened.
Facebook was similarly vulnerable through their API, which Michael Isbitski from Salt Security explained is becoming more common.
“Content scraping is a common attack pattern,” Isbitski stated in the wake of the Facebook leak. “Organisations often build or integrate APIs, without fully considering the abuse cases of the APIs.”
LinkedIn also out a statement in the wake of its incident, explaining the platform was not technically “breached,” but that the information was public & scraped from the LinkedIn site.
To view the LinkedIn user data file in the hacker forum, it costs $2 worth of forum credits. The full database was up for auction in the 4-figures range.
“We have investigated an alleged set of LinkedIn data that has been posted for sale & have determined that it is actually an aggregation of data from a number of websites & companies” that includes “publicly viewable member-profile data that appears to have been scraped from LinkedIn,” the company said in a statement.
“This was not a LinkedIn data breach, & no private member account data from LinkedIn was included in what we’ve been able to review.”
“I don’t expect that this will be the last of these sort of scraping incidents,” Isbitski predicted. “APIs are regularly the vehicle for functionality & data.
Social media companies inherently design their platforms to be consumable, powering much of it with APIs. Attackers know this, & they continue to target APIs in scraping attacks, repurposing publicly available data for malicious purposes”
Users of all 3 of these social media platforms should be aware they could be targeted by email phishing campaigns, so strong passwords & multi-factor authentication are important. Cyber News offers a personal data leak checker to help users work out if their data was compromised.