The Clubhouse statement
According to a statement by Clubhouse, there was no breach and the information that was supposedly leaked was already publicly available for Clubhouse users.
Clubhouse is an iOS invitation-only social media/chat application, and it is the most recent victim of a large-scale data scraping that caused the data of over 1.3 million users to become available for free on a hacker forum. The leaked data is contained within a SQL file that has been uploaded to a cyber-underground forum from where anyone could freely download it.
The user details contained within the SQL file are user photos, IDs, dates when the user profiles have been created, Instagram and/or Twitter handles, information about who sent the invitation, and more. Such information, while not particularly sensitive, could easily be used for malicious social engineering campaigns such as phishing attacks.
Clubhouse already made a statement addressing the matter. The company said that what caused the data leak isn’t a bug or a vulnerability in the app and that there hasn’t been a security breach.
The company states that the data acquired by the hackers and posted on the underground hacking forum is already freely available to users of the application and can be accessed through the app’s API.
Clubhouse hasn’t provided any more details relating to the recent data scraping and has been silent ever since this statement.
Insecure APIs causing the data leaks
Some users have already pointed out certain discrepancies between the statement made by Clubhouse and the policy of the company. According to the terms of service for the app, data scraping is prohibited. However, it seems that the API for the app lacks any protection against data scraping.
According to the vice president of WhiteHat Security, Setu Kulkarni, the policies of Clubhouse are conflicting since, on the one hand, the app is invite-only and, on the other hand, the user data on it is free-for-all. This means that anyone who knows their way around the API could easily gain access to the user/profile data of millions of users.
Kulkarni notes that, in order to protect user data more effectively, the company needs to adopt a security-first approach with its API. He mentions that often the problem isn’t solely about security vulnerabilities but also flaws in the application’s logic that could lead to such incidents.
Mantas Sasnauskas, a security researcher at CyberNews, also noted that the bug responsible for the data scraping seems to be built within the Clubhouse platform. According to him, anyone who has a token could query the entire user database of Clubhouse.
Further investigation by the CyberNews security team also suggests that the information that’s within the SQL file is related only to details from the Clubhouse app and doesn’t contain any more sensitive information such as payment card details.
Companies denying there’s a problem
Within the past ten or so days, there have been at least three major data-scraping incidents in which big companies were targeted and the data of millions of users got posted online.
In addition to the most recent Clubhouse incident, before it LinkedIn and Facebook user data also got scraped and made publicly available. The previous two incidents were of significantly larger scale as the data of 533million Facebook users and 500 million users got leaked.
The Facebook data-scraping, too, was apparently the result of a flaw within its API.
According to Michael Isbitski, a researcher at Salt Security, this type of attacks are very common, and they rely on the built-in vulnerabilities that the APIs of different companies have.
LinkedIn also made a statement addressing the leak of its users’ data and, similarly to Clubhouse, the company denied having its infrastructure breached. According to the statement, the leaked user data was never inaccessible to other users and has always been publicly available.
At the moment of writing, to gain access to the data of a single LinkedIn user on the hacker forum where it is posted, the price is $2. To get access to the whole database, the price is within a four-digit range and currently up for auction.
LinkedIn also stated that, after further investigation, it was determined that the leaked data of its users comes from other companies that have publicly available LinkedIn user data on their sites that has been taken from LinkedIn. The company used this as a further argument to support their claim that their infrastructure was not breached and that it is not what caused the data leak.
Isbitski continues stating that he believes this won’t be the last of the data-scraping incidents within the near future. Social media platforms often focus more on being appealing to users rather than improving the security and privacy of the latter, which leads to their APIs often being not as secure as they should be. Apparently, the cybercriminal actors have figured that out and are now exploiting it for data-scraping attacks.
It is advisable that users of the aforementioned three social media platforms (Facebook, LinkedIn, and Clubhouse) are on the lookout for potential phishing attacks targeted at them. It is also suggested that they change their passwords with strong and secure ones and, better yet, apply two-factor authentication to make it less likely for cybercriminals to gain access to their profiles.