WARNING / NOTES
FOR REFERENCE AND EDUCATION PURPOSES ONLY. THIS DOES NOT COME WITH ANY KINDS OF WARRANTY.
PLEASE DO NOT CREATE BOTS OR DO ANY HARMFUL THINGS TO THE SERVICE. DON’T BREAK THINGS. DON’T BE EVIL.
ANDROID OFFICIAL BUILD IS OUT. THERE WILL BE NO MORE UPDATES ON THIS PROJECT.
Pull Requests / Issues
I disabled PRs and issues temporarily. I will only accept requests when it is worth fixing.
Please contact by DMs through @stereotype32 for any questions. Please do not spam e-mails for a request.
rc_token related requests will be rejected. (See closed issues)
Are you affiliated with those guys who built the website that streamed Clubhouse rooms?
I am not affiliated with anyone or any company with regards to Clubhouse issues.
Why did you develop this? what is your whole intention about releasing this to public?
- There has been a lot of articles about security concerns of Clubhouse when I joined Clubhouse.
- I decided to take a closer look at the application by reverse engineering the app. With this I can find out what is the truth and what isn’t.
- I found some possible security risks during the analysis. However, I will not disclose this information until things are properly and safely mitigated.
- I was planning to destroy my work after doing the analysis, but I’ve decided to share the code as (i) I found out that the whole authentication flow and API base may change in the future, so this src will be priceless at some point of time (ii) I think it would be better off for Android phone users to interact with others. (iii) I wanted more people to join into conversations and have fun.
What if someone uses your code to do malicious activities? Wouldn’t that be an issue?
- Evil people with evil intentions will do bad things even if the sourcecode wasn’t released.
- There has been already numerous reports of trollers doing bad things around here and there. (Reference) These trollers have also disclosed their sourcecode, so please have some time to check their source code. These guys did their stuff without even referencing other’s source code. This already shows that evil people will always try to break stuff and do bad things regardless of any other helpful factors.
- What I shared on GitHub is a very basic thing that a reverse engineer can do. It’s technically not difficult to get these information snatched from the binary.
- Clubhouse has a straightforward API with some unknown security mechanisms; They have implemented things to ban you for excessive usage.
- DO NOT even try anything if you don’t really know what you’re trying to do. I have been mentioning the same message over here and there.
- I am not liable for anything you do with this application. I already warned about this as well.
You’ve released API keys and secret keys. Wouldn’t that severely impact the server?
- Let me make things clear first. Those keys are NOT confidential secrets.
- These are just identifiers for third-party services to declare that your actions are coming from the Clubhouse app.
- These keys are used for communication, adding your instagram/twitter accounts, chat notifications, etc.
- I wouldn’t have disclosed keys if these keys were actual secrets/confidentials.
Can you disclose what you’ve found during an analysis?
I will only disclose these issues to the vendor.
I think issues I found seem to be already reported by other researchers as well and they might be already aware of these issues and circumstances.
I’ve already sent a twitter DM to one of Clubhouse employees as of 2021/Feb/24, but I haven’t received any messages yet.
Then, can you explain a bit on that myth about the Chinese IP thing?
- It’s fixed in the latest version. You don’t have to worry about this anymore.
- Worth reading this technical post for more detailed information.
- The blog post is written in Korean so please translate the page.
I heard that the app is using iOS just to prevent the voice recording. Releasing these kinds of code can possibly make it ‘easier’ to make voice recording. I want to hear your opinions.
- There is literally no way to disallow users from recording the voice. Imagine some people having a “physical” recording device next to them. How will you or the Clubhouse app detect such actions?
- Moreover, there is no way to even catch or block the user when someone records and shares your voice record anonymously.
- I think there are much more serious risks/problems that CH developers need to take a look at. There seem to be more high priority issues than this one. (in which I assume they’re already working on atm)
What do you think about the Clubhouse app? Is the app secure enough? Can you rate their security quality?
From my very personal perspective as a security engineer:
- API: Well-made, and I see developers are trying to fix some security issues here. although they still haven’t fixed it, yet.
- Notifications: LGTM. but sometimes the server goes down pretty frequently. I haven’t looked deep into it.
- Interaction with voice protocol: meh, but it looks like they’re trying to work on it. I think it is more fun to dig more in but doing so will go out of the scope.
Don’t you think your actions were ethically wrong?
- I also heard that these issues were raised and discussed over several months in an open Clubhouse chatroom, and I guess I’ve clarified a lot of questions people had over for several months. I guess this already helped some of engineers who were pretty much concerned about things here.
- I am pretty sure that somemone would’ve done this if it wasn’t me anyways. At least I gave some initiative to try with good wills and share details with you guys.
I heard that the voice communication is not encrypted. is this true?
As of 2021/Feb/24,
- This technical post already explains things really well about the current situation.
- I was also curious and read some documentations in Agora.io (Reference)
- As mentioned in the technical post, it looks like the communication encryption is never done.
- Also, ny looking at those documentations and my codes, you may have already noticed that the
enableEncryptionis never used here.
- In the latest version, they have added the encryption routine but it is not yet used. It should be fixed in the upcoming releases.
I heard that the app is also using Camera permissions. I am really worried right now.
You don’t have to worry about this as well. There are some things to share here.
- It may have been turned on because you tried to take a photo of yourself to put a profile image.
- … or the voice SDK is trying to secretly access your camera. But from my analysis, I don’t see anything like that happening from the App to take photos or videos. Although they have the feature to communicate with your camera, the app does not use that part of the feature atm. (Confirmed safe as of Feb 2021)
I heard that the app is also taking your information while adding your Instagram/Twitter accounts. did you check that?
Yes. You don’t have to worry about this as well.
Clubhouse only takes very basic part of your information just to verify that you are the owner of the given account.
- For Instagram: You’re allowing Clubhouse to just take your username. That’s all.
- For Twitter: You’re allowing Clubhouse to read your profile, timeline and tweets. However, Clubhouse CANNOT read your personal DMs. This is the least permission they can ask to a user.
The permission setting can also change, but in that case you will be asked again to re-authorize the application with additional permission. Don’t worry so much about this part.
If you’re still worried about this, You can also revoke the access by doing the following action.
- For Instagram:
Apps and Websites->
Clubhouse-> revoke access.
- For Twitter:
Security and account access->
Apps and sessions->
Clubhouse-> revoke acccess.
Do you have any plans to do further analysis if Clubhouse opens up a bug bounty programme?
Is Clubhouse actually working hard to fix all kinds of security stuff? I’m really worried.
Yes, but there are some reasons why developers are taking some time.
- They probably don’t want to break things while updating. Developers also need time to fix and test their own code.
- Clubhouse is a small company with ~10 employees. You also need to consider the manpower to fix issues.
- It may take a few days to get their updates reviewed by Apple.
- They also need to have some time to make “best moves” in order to efficiently fix issues.
As a typical user, what do I need to be very careful about when using Clubhouse?
- As a speaker: Always assume that someone is recording your voice. Always think multiple times before you speak. Don’t speak out confidential/personal stuff. I am not saying that the Clubhouse is recording your voice. There are chances that some trolls or reporters are trying to record multiple chatrooms.
- As a moderator: You need to be alert and make quick decisions to make your channel healthy. If someone says something weird or does something crazy, you need to make quick decisions. Move that speaker to audience or just kick the user out of the channel. Simple as that. Also, be aware that you have a lot of privileges. Do not give moderators to unknown people. Any moderator can destroy the channel.
Why did you block issues / PRs?
Mainly two reasons:
- There are some people sending me some issues without actually looking into sourcecodes and testing codes.
- There are some people wasting their time to send worthless PRs.
I will not open these for the time being. You can send me a message or make your own fork, and I will take a look whenever I’m free
Clubhouse API written in Python
clubhouse-py is originally developed for the sake of interoperability.
Standalone client is also created with very basic features, including but not limited to the audio-chat.
Please note that you may get a permanent ban for sending invalid API requests. Server’s ratelimit and security mechanisms are quite strict.
Check Releases. OSX(x86_64) may not be stable for use yet.
Please click the image to open a Youtube video demo.
- Windows or OSX
- Python 3.7 or higher
- Install by pip
$ pip3 install clubhouse-py ... Successfully built clubhouse-py Installing collected packages: clubhouse-py Successfully installed clubhouse-py-304.0.1
- You need to install Agora SDK for voice communication. Refer to Agora-Python-SDK#installation.
- Clone project
$ git clone https://github.com/stypr/clubhouse-py.git clubhouse $ cd clubhouse
- You need to install dependencies first.
$ pip3 install -r requirements.txt
- You need to install Agora SDK for voice communication. Refer to Agora-Python-SDK#installation.
- For calling APIs from other script
from clubhouse.clubhouse import Clubhouse ... if __name__ == "__main__": clubhouse = Clubhouse()
- For running a standalone client
$ python3 cli.py
PubNub is used for the notification while being in a conversation.
This has not been implemented yet. However, you may utilize the PubSub keys provided in the sourcecode to implement this.
Reference / Recommended to read
You may also add more endpoints and features based on the following repositories.
Please note that these repositories were partially referenced to create this project.
Most of things were tested and handcrafted from scratch.
- https://github.com/Seia-Soto/clubhouse-api (NodeJS build)
- https://github.com/grishka/Houseclub (Android build)
- https://theori.io/research/korean/analyzing-clubhouse/ (Written in Korean)