A Clubhouse Bug Let People Lurk in Rooms Invisibly

“Basically I’m going to keep talking to you, but I’m going to disappear,” longtime security researcher Katie Moussouris told me in a private Clubhouse room in February. “We’ll still be talking, but I’ll be gone.” And then her avatar vanished. I was alone, or at least that’s how it seemed. “That’s it,” she said from the digital beyond. “That’s the bug. I am a fucking ghost.”

It’s been more than a year since the audio social network Clubhouse debuted. In that time, its explosive growth has come with a panoply of security, privacy, and abuse issues. That includes a newly disclosed pair of vulnerabilities, discovered by Moussouris and now fixed, that could have allowed an attacker to lurk and listen in a Clubhouse room undetected, or verbally disrupt a discussion beyond a moderator’s control.

The vulnerability could also be exploited with virtually no technical knowledge. All you needed was two iPhones that had Clubhouse installed and a Clubhouse account. (Clubhouse is still only available on iOS.) To launch the attack, you would first log into your Clubhouse account on Phone A, and then join or start a room. Then you’d log into your Clubhouse account on Phone B—which would automatically log you out on Phone A—and join the same room. That’s where the problems started. Phone A would show a login screen, but wouldn’t fully log you out. You’d still have a live connection to the room you were in. Once you “left” that same room on Phone B, you would disappear, but could maintain your ghost connection on Phone A. 

Lily Clubhouse menu screenshot

In the screen on the right, Moussouris was gone, but her Clubhouse ghost remained.

Screenshot: Lily Newman via Clubhouse

Moussouris also found that a hacker could have launched the attack, or variations on it, using more technical mechanisms. But the fact that it could be done so easily underscores the importance of the flaw. Moussouris calls the eavesdropping attack “Stillergeist” and the interrupting attack “Banshee Bombing.” 

Since the vulnerability existed for any room, she argues that the weakness represented a worst-case scenario for Clubhouse as the platform works to deal with privacy issues, harassment, hate speech, and other abuse. Not knowing who’s listening in on a conversation, or having to shut down a room because you can’t stop an invisible person from saying whatever they want, are nightmare situations for an audio chat app.

After Moussouris submitted her findings to the company in early March, she says Clubhouse was not immediately responsive and it took a few weeks to fully resolve the issue. Ultimately, Clubhouse explained to Moussouris that it patched two bugs related to the finding. One fix made sure any ghost participants were always muted and couldn’t hear a room even if they were hovering in it, essentially trapping them in Clubhouse purgatory. The second bug fix resolved a cache display issue, so users are more fully logged out on an old device if they log into another. Moussouris says she hasn’t fully validated the fixes herself, but that the explanation makes sense.