If your service or application is popular, attackers will do their best to figure out the APIs behind your app and use them to work around any limitations you have imposed on the user interface.Once you get an Agora token, you retain access to the room’s audio stream even if you leave the room in Clubhouse (so the state of your Clubhouse user token changes, but Agora token doesn’t) and join another one. This worked because Agora tokens are long-lived and independent of Clubhouse.
The Clubhouse app then uses these tokens to grant users access to the audio stream.Īttackers used their Clubhouse user token and had a bot join every room, collect the Agora tokens, and plug them into a browser client. When users join a room, they are issued an Agora token. A different platform, Agora, does the audio streaming. It turns out that APIs and tokens are at the heart of it.Ĭlubhouse itself is actually mostly handling just the user management part. This breaks Clubhouse’s terms of service and customer expectations: conversations are only supposed to be accessible live and only to the users in that particular room.ĭaniel Sinclair posted his analysis on the root cause of the incident in his Twitter thread. Last Sunday, it had a data spill incident in which one of the users started streaming multiple rooms from their own website.
Vulnerability: ClubhouseĬlubhouse is an audio-only social network app for iPhone.
#Clubhouse api postman update
This week, we take a look at the recent data spill incident at Clubhouse, the (poor) state of API security in major healthcare mobile applications, how scope-based reconnaissance methodology works, and the latest update (v3.1.0) to the OpenAPI Specification.
0 kommentar(er)
