The Clubhouse 'Hack' - When 'Move Fast, Break Things' Backfires

Even if you don't build it, developers will come.

Clubhouse has been in the news recently yet again, in a different way than those familiar with the news cycle involving the platform. This time, the platform’s security model is being called into question, and many trying to ascertain what their expectation of privacy, if any, is on Clubhouse.

How Does Clubhouse Work?

There are many different models for how platforms work, many leveraging other products which are part of the ‘as-a-service’ stack. Amazon’s storage service is so widely used that it’s sometimes more understandable to say ‘S3’, their storage brand, rather than ‘storage-as-a-service’.

Many proprietary solutions and platforms are built on services such that their application stacks more closely resemble a layered solution rather than a single element (think Neapolitan ice cream instead of just a single serving of chocolate, vanilla, or strawberry on its own).

Clubhouse is no different, and is essentially a front-end built on top of a service called Agora which offers broadcast services that deliver the real-time audio experience Clubhouse users have come to know and love. Agora, like many other services, has an API, or Application Programming Interface. API’s let developers make use of services with a minimum of effort, acting as a set of instructions on how to make use of their service in a particular programming language.

While the recent Clubhouse happening is being referred to as a ‘breach’ or ‘hack’, the perception of those descriptions to the general public is quite broad, and often conjures up images of someone breaching a database to steal private information. It’s far more accurate to say that we are talking about the creation of unauthorized clients, one of which relied on a set of authorized Clubhouse users and their tokens to stream audio from Clubhouse rooms to a website.

Clubhouse Tokens

The Clubhouse security model is less than robust, as users are generally granted a single token after signing up, and then use that token to perform functions such as entering and creating Clubhouse rooms. Agora does have more robust token features such as ‘co-host token authentication’ (thanks to @OnlyJohnRay on Twitter for this), so it’s unknown why the Clubhouse security model is so simplistic at this point in time.

Many restrictions on user activity are based in the client itself, and since both the unauthorized and authorized clients interact with the same API, it can be difficult to differentiate and restrict access.

This has led to events like so-called ‘ghosting’, where people not in Clubhouse rooms can still broadcast their voice to the stage (this happened to me once very early on as a bug in the Clubhouse client rather than malicious actions).

The now defunct clubhouserooms.com site made use of the API in a less invasive way, showing all rooms on the platform but not streaming audio. A more recent addition to the list of unauthorized clients is Direcon, a third-party endeavour that markets itself as a management and analytics service to Clubhouse. It too makes unauthorized use of the Clubhouse API, but does so in a different way : With a user’s token rather than the tokens of Clubhouse accounts controlled by Direcon itself.

The product actually makes direct use of Clubhouse’s own authentication API, requiring users to give their phone number to Direcon, at which time a confirmation text is sent and the service is able to make use of the user’s token to track analytics for their rooms and (eventually) perform management and moderation functions.

Besides privacy/security concerns, products such as Direcon can be shut down on a whim by the Clubhouse team and they present a high risk situation for both investors and users who might come to rely on the functions provided by such products.

Clubhouse Did It First

These recent events perhaps obfuscate how Clubhouse has been able to gain user growth and market valuation so quickly, by adhering to the Silicon Valley axiom of ‘Move Fast, Break Things’. Some other platforms have built their audio engines from scratch, meaning they have a slower platform velocity, but are potentially able to come up with more robust access models. Clubhouse utilized an existing service with an access model that was not purposefully designed for their application, meaning they were able to launch with a minimum of engineering work. The consequence, however, is that they may have broken some minimum standards for privacy and security that users have come to expect from the platforms that they use.

Products like Direcon are repeating this trend. Clubhouse users largely want what this product offers, but Clubhouse does not have any form of ‘Developer Program’. Typically, these programs provide an authorized means of developing features for a platform, and require members to adhere to certain standards regarding their products. In the absence of such a program, products like Direcon are moving fast in simply reverse engineering and accessing Clubhouse through what is technically possible, rather than what is authorized. They are breaking things now, but some of the largest concerns are what they might break in the future.

There are no standards to guarantee that these kinds of products will treat the security of user tokens properly, possibly leading to others being able to impersonate users, or worse. Similarly, no guarantees exist the data gathered by companies through use of their products won’t be sold or otherwise used without user permission.

Clubhouse’s API woes are unlikely to be repeated by competing products from platform giants like Twitter and Facebook, as those companies have robust developer programs and are unlikely to ever grant access as open as some now have to Clubhouse. It’s likely that Clubhouse will be fighting a never-ending battle to prohibit unauthorized access. One thing they may consider, however, is creating an authorized developer program to limit third-party clients.

Clubhouse users want these features, and the internet in general also loves to move fast and break things. The difference being is that it will be Clubhouse, and not the internet dealing with the brand reputation hit should something more serious like private user data or a cache of recorded conversations eventually leak.