“With hockey stick growth you become a potential target for the bad guys.”

Over the years I have written a few articles on breakout apps that have serious potential to do damage to corporate data.  Anyone remember Pokemon Go and the outdated, misconfigured API that gave full access to customers with G-Suite backends?  Did Pokemon Go Just Hack the Enterprise? | LinkedIn

So, what do Clubhouse and Pokemon Go and Zoom all have in common?  Answer: explosive growth.  With hockey stick growth you become a potential target for the bad guys.  Natural disasters spike search terms and within hours and days the bad guys can mobilise very well-crafted phishing campaigns to cash in.  With explosive growth like Zoom experienced with the Covid-19 pandemic comes increased scrutiny of your security practices and with explosive growth of a seemly innocent game like Pokemon Go, hackers may uncover misconfigured data flows.  Clubhouse is no different.

Clubhouse Gathers Valuable Personal Data

Clubhouse has managed to attract some of the most influential people on the planet to the platform (not sure how or why… but well done).  With this influx comes great responsibility and target risk.  Why? One simple reason in my opinion.  The collection of personal information such as your phone number and your contacts.

The Clubhouse iOS app requires you to input your phone number to use the service.  Nothing ground-breaking here but the service is smart enough to get around the use of a generic SkypeOut or Google phone number and appears to only function if the number is correct.

 

In addition to this step Clubhouse also asks for permission to sync your contacts. Once again, this sync of your address book is not uncommon. But in this case Clubhouse has now hovered up, Oprah Winfrey, Elon Musk, Vanilla Ice, Ashton Kutcher, and many, many more address books and in the process has made themselves a very big target for the bad guys. Finally, if you then want to schedule a room session the app also asks for your Calendar. Can anyone comment on what the black-market asking price for Elon Musk’s phone number, address book and Calendar is?

 

Clubhouse Has a High Privacy Risk Score

In doing research for this article, I had the app scanned with the Zimperium Mobile Threat Defence platform to find out a little more. Per the image below it did not score all that well. Please reach out if you want a copy of the full 38-page report

 

 

Immediate Action Plan

As a precaution, I would urge all businesses that have a device management platform in place to do a quick look-up and see if the Clubhouse app has been installed on any of your staff phones.  If it has the chances are your global address book is now in the hands of Clubhouse and we can only hope that some of the 9 (yes 9) employees at Clubhouse have secured the backend correctly to ward off the onslaught of attacks that will likely be mobilizing right now.

This takes us back to the start.

Why am I concerned about Clubhouse?

The size of the Clubhouse team is 9 staff.  If companies with 10’s or 100’s of security experts can get breached how long is it before someone breaks into the Clubhouse (pun intended).

The size of the audience.  Explosive growth does strange things.  When you grow to 2 million daily active users faster than Facebook or Twitter size does matter.

The world is watching.

 

Conclusion

The threat landscape is evolving daily, and seemingly innocuous apps may represent a huge security risk. Mobile Mentor offers a Mobile Threat Management service to clients large and small. If you are interested in learning more, contact us.