We already took a look into privacy-related issues surrounding Clubhouse. After that, we submitted our findings to Clubhouse respecting the responsible disclosure practices. You can read about it here.
What is Clubhouse?
Clubhouse is an invite-only, audio-based iPhone application. Imagine a social network based on single type of communication – voice. You can listen to other people’s conversation and, if allowed, you can join the chat. Since Elon Musk popped up in a Clubhouse room a few weeks ago, the app’s popularity grew rapidly.
Clubhouse authentication and sign-in is simple: you enter a phone number to which you receive SMS with 4-digit access code. After that, you enter the correct code and you are in, free to join some rooms. What could possibly go wrong?
First, 4-digit code is short. Limited to numerical characters, there are 10^4 = 10,000 possible combinations. User can attempt entering the code three times. When unsuccessful, new code will be sent – with three more attempts. If logon failures continue, account will be locked for 30 minutes.
An attacker can execute a brute-force attack on Clubhouse access code in different ways:
- Targeted attack of a single user with known phone number.
- Brute-forcing multiple phone numbers with one or more codes.
In the first case, breaching into someone’s Clubhouse can result in account modification, reputation loss or spreading false news on behalf of trusted community member. However, this type of attack will not be easy to execute fast and unnoticed. Large number of received SMS codes or account lockout would raise suspicion of a user.
The latter brute-force scenario is more realistic. Sending Clubhouse authentication requests for many phone numbers using various 4-digit codes has a higher probability of success. Consequences are like in single-user attack. Direct impact of active misuse of a breached account will vary. Surely, it is more exciting to breach the account of Elon Musk or a high-profile moderator than an account of some average user.
Execution of brute-force attack is rather easy using Python interface to Clubhouse API. Researchers reverse engineered the application to determine what APIs the Clubhouse uses and published the code at https://github.com/stypr/clubhouse-py. It provides interface to all known Clubhouse APIs. With little command-line kung-fu, interaction with your Clubhouse account is not difficult. Neither would be the execution of a brute-force attack.
The app sends you the SMS with Clubhouse authentication code with the presumption that phone number is tied to a single device – yours. In SIM swapping attack, threat actor hijacks your phone number and activates another SIM card. Attackers will receive all your SMS and calls – including Clubhouse 4-digit PIN. In this case, you would be logged out from your device when different device logged on to Clubhouse with your number.
If a SIM swapping attack succeeds, you will not be able to log on to Clubhouse from your device. You will also not receive any notification about sign-on from different device.
The only way to regain access to your account is by acquiring new SIM card from your carrier. Until that time, the attacker can impersonate you and act on your behalf.
Is there a way to check the devices from which you access Clubhouse? No.
At the time of writing this blog, Clubhouse does not offer means to check your Clubhouse account activity, verification history or devices used to sign-in. Additionally, changing the phone number associated with the account is not possible.
In our next blog we will introduce more potential security issues which affect users of Clubhouse. Stay tuned!