A developer made a tool that scraped some conversations on Clubhouse and streamed them on a website, making them available to anyone—even people without an account—undermining the app's ephemeral, invitation-only nature.
Last week, a developer called ai-eks published the tool on the open source repository GitHub. The developer then started uploading the conversations and streaming them on a website called OpenClubhouse.
"This is a third party Clubhouse audio player. I hope that everybody can hear the voice. So it is a open Clubhouse client for Android, for Computer, and for anyone without invite code," the developer wrote on the site. "All room accesses are acquired from personal session, and all copyrights of the voice are belongs [sic] to JoinClubhouse.com and its users."
Anyone could listen to conversations on the site and see people who were participating in the sessions, according to screenshots of the site.
Clubhouse, which initially attracted celebrities and Silicon Valley venture capitalists, is growing in popularity but is still only available to those who received an invite from an existing user. Celebrities like Drake, Oprah Winfrey, and Kevin Hart have even popped up on the app, offering people the rare chance of digital proximity to the wealthy and famous. It's current, semi-exclusive and ephemeral nature has generated some controversies, like a room in which Silicon Valley elites discussed journalists having too much power, and conversations that spread conspiracy theories about COVID-19.
A website that makes some of those conversations public and easy to listen to seems to undermine some of Clubhouse's appeal, but as of Monday, Clubhouse blocked the account that ai-eks used to record and stream conversations from the app, and his site no longer provides streams. A Clubhouse spokesperson said in a statement sent via email that “recording or streaming without the explicit permission of the speakers is against the Clubhouse terms of service.”
“Over the weekend, an individual temporarily streamed multiple rooms from their own feed to a website,” the statement read. “This individual's account has been permanently banned from the service and we have added additional safeguards to prevent people from doing this in the future.”
Daniel Sinclair, an independent researcher studying social media, analyzed the OpenClubhouse tool and explained how it worked in a Twitter thread. In practice, the tool was relying on a Clubhouse account that was joining some rooms and collecting the room's unique tokens, codes that allow users to join a call. These tokens were available to anyone because of how the backend service for Clubhouse was architected. This allowed anyone to become "a ghost listener," Sinclair wrote in his thread.
Sinclair told Motherboard that the tool did not appear to record the audio, it was streaming it from Clubhouse's backend.
"That they could turn a private call into essentially a public broadcast using the same service is a concern, but they themselves weren’t recording," Sinclair said in an online chat.
Sinclair said that conversations marked "private" were likely not accessible to the tool.
Motherboard reached out to the developer of the tool via email and LinkedIn, but they did not respond.
CORRECTION, Monday Feb. 22, 1:42 p.m. ET: A previous version of this article mistakenly identified Lieyi Zhang as the developer of OpenClubhouse. In fact, the developer is someone who goes by the name ai-eks on GitHub.
This story has been updated to include a statement from a Clubhouse spokesperson.
Subscribe to our cybersecurity podcast CYBER, here.