A developer made a tool that scraped some conversations on Clubhouse and streamed them on a website, making them available to anyone—even people without an account—undermining the app’s ephemeral, invitation-only nature.
Last week, a developer called Leiyi Zhang published the tool on the open source repository GitHub. The developer then started uploading the conversations and streaming them on a website called OpenClubhouse.
“This is a third party Clubhouse audio player. I hope that everybody can hear the voice. So it is a open Clubhouse client for Android, for Computer, and for anyone without invite code,” the developer wrote on the site. “All room accesses are acquired from personal session, and all copyrights of the voice are belongs [sic] to JoinClubhouse.com and its users.”
Anyone could listen to conversations on the site and see people who were participating in the sessions, according to screenshots of the site.
Clubhouse, which initially attracted celebrities and Silicon Valley venture capitalists, is growing in popularity but is still only available to those who received an invite from an existing user. Celebrities like Drake, Oprah Winfrey, and Kevin Hart have even popped up on the app, offering people the rare chance of digital proximity to the wealthy and famous. It’s current, semi-exclusive and ephemeral nature has generated some controversies, like a room in which Silicon Valley elites discussed journalists having too much power, and conversations that spread conspiracy theories about COVID-19.
A website that makes some of those conversations public and easy to listen to seems to undermine some of Clubhouse’s appeal, but as of Monday, Clubhouse blocked the account that Zhang used to record and stream conversations from the app, and his site no longer provides streams. A Clubhouse spokesperson told Bloomberg that it “permanently banned” the user and implemented new “safeguards” to prevent this from happening again.
A Clubhouse spokesperson did not immediately respond to a request for comment.
Daniel Sinclair, an independent researcher studying social media, analyzed the OpenClubhouse tool and explained how it worked in a Twitter thread. In practice, the tool was relying on a Clubhouse account that was joining some rooms and collecting the room’s unique tokens, codes that allow users to join a call. These tokens were available to anyone because of how the backend service for Clubhouse was architected. This allowed anyone to become “a ghost listener,” Sinclair wrote in his thread.
Sinclair told Motherboard that the tool did not appear to record the audio, it was streaming it from Clubhouse’s backend.
“That they could turn a private call into essentially a public broadcast using the same service is a concern, but they themselves weren’t recording,” Sinclair said in an online chat.
Sinclair said that conversations marked “private” were likely not accessible to the tool.
Motherboard reached out to the developer of the tool via email and LinkedIn, but they did not respond.
Subscribe to our cybersecurity podcast CYBER, here.