A database with information from more than 1.3 million users of the new social network exclusive to iPhones, the Clubhouse, was published free of charge in a popular leak-sharing forum on the shallow internet.
The “leak”, however, is nothing more than a “scraping of data” that can be accessed through a platform API. I.e, the database offered in the cybercriminal forum is a collection of information that users themselves have posted on their profiles, publicly.
The bank offers data such as user ID; Name; profile picture; link to the user’s other social networks; number of followers and number of people following a particular user; in addition to the creation date of the account and user you were invited to.
It is important to remember that there is no sensitive data (such as password, social security number or personal documents) exposed in the database. Also, that no Clubhouse server has been compromised in a cyber attack.
The point of this “leak” is that you must be invited to access this information from other users. Therefore, it is now possible to access a portion of the platform data, even without being invited.
In response to a post on Twitter, the developers of Cluhouse said: “This is misleading and false. The Clubhouse has not been breached or hacked. The data referred to is all public profile information for our application, which anyone can access through the app or our API. “
According to Mantas Sasnauskas, information security researcher for Cybernews, the Clubhouse has serious privacy issues, mainly by say in the privacy policy that they do not allow data extraction or scraping.
“The way the Clubhouse application is built allows anyone to have a token, or through an API, to consult the entire body of public information in the Clubhouse user’s profile, and it seems that the token does not expire”, explains the researcher .
Earlier this year, a developer was able to play a copy of the Clubhouse app, breaking the need to be invited to join the platform. The parallel application was turned off shortly after going online, but it was able to transmit the contents circulating in the closed application, to any other interested person, who did not have access to an invitation.
Sources: Cybernews; Clubhouse via Twitter.
See the original post at: https://thehack.com.br/vazamento-do-clubhouse-e-so-mais-uma-raspagem-de-dados-publicos/?rand=48873
