Clubhouse API allows everyone to scrape public user data

Recently, an SQL database containing data of 1.3 million Clubhouse users was posted on a hacker forum for anyone to access. The data included names, user IDs, social media profile names and other details about clubhouse users.

According to Cybernews, Clubhouse responded quickly, stating the company has not been breached or hacked. Rather, the data of 1.3 million people posted on the cybercriminal forum is "all public profile information, which anyone can access via the app or [their] API."

The company's statement has raised concerns about Clubhouse's user privacy.

According to Setu Kulkarni, Vice President, Strategy at WhiteHat Security, a San Jose, Calif.-based provider of application security, "Clubhouse has conflicting user policies – being an invite-only platform and at the same time free-for-all user data. When all development has now shifted to API first development, then why hasn’t security also shifted to API first security? Arguably, making APIs public has a much lower bar than making the application public (online or through app stores). All it takes is one user to figure out the API for such large data egress of the millions of users on the platform. Testing APIs in production is as if not more important than ever for not just vulnerabilities but also for business logic flaws that can result in unfettered access to user data by malintending actors."

After recent data leaks from social media companies, like Facebook, LinkedIn and now Clubhouse, Michael Isbitski, Technical Evangelist at Salt Security, a Palo Alto, Calif.-based provider of API security, says it's clear that there is a bigger problem with API incidents than just these three isolated events.

"While social media companies are taking the heat right now because of the sensitivity of data they keep and resulting privacy impacts, I don't expect that this will be the last of these sort of scraping incidents," Isbitksi says. "APIs are regularly the vehicle for functionality and data. Social media companies inherently design their platforms to be consumable, powering much of it with APIs. Attackers know this, and they continue to target APIs in scraping attacks, repurposing publicly available data for malicious purposes."

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says distributed workforces, personal devices and massive cloud infrastructures make it difficult for security teams to understand the security posture of all devices and cloud resources. He explains, "It is difficult for IT to keep up with all the emerging cloud services that employees are using. Employees now use personal, corporate, managed, and unmanaged devices to work from anywhere and remain productive. These devices are unknown to the security organization before their initial connection into company infrastructure, which means they could unknowingly introduce malware. Threat actors know that your employees use devices for both personal and work, and will try to leverage personal channels to gain access to enterprise assets."

Schless says, "There are countless services that connect to social media platforms as a form of validation and integration. You need to know what services the apps on employee devices connect to in order to have proper visibility into data access policies. In order to protect your enterprise data, you may want to implement policies that block apps that integrate with social media platforms."

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.