A Clubhouse bug let people lurk in rooms invisibly

Enlarge (credit: Sam Whitney | Wired | Getty Images)

“Basically, I’m going to keep talking to you, but I’m going to disappear,” longtime security researcher Katie Moussouris told me in a private Clubhouse room in February. “We’ll still be talking, but I’ll be gone.” And then her avatar vanished. I was alone, or at least that’s how it seemed. “That’s it,” she said from the digital beyond. “That’s the bug. I am a fucking ghost.”

It’s been more than a year since the audio social network Clubhouse debuted. In that time, its explosive growth has come with a panoply of security, privacy, and abuse issues. That includes a newly disclosed pair of vulnerabilities, discovered by Moussouris and now fixed, that could have allowed an attacker to lurk and listen in a Clubhouse room undetected, or verbally disrupt a discussion beyond a moderator’s control.

The vulnerability could also be exploited with virtually no technical knowledge. All you needed was two iPhones that had Clubhouse installed and a Clubhouse account. (Clubhouse is still only available on iOS.) To launch the attack, you would first log into your Clubhouse account on Phone A, and then join or start a room. Then you’d log into your Clubhouse account on Phone B—which would automatically log you out on Phone A—and join the same room. That’s where the problems started. Phone A would show a login screen, but wouldn’t fully log you out. You’d still have a live connection to the room you were in. Once you “left” that same room on Phone B, you would disappear, but could maintain your ghost connection on Phone A.

Read 10 remaining paragraphs | Comments

Categories: digitalTech