After Facebook and LinkedIn also the new social platform Clubhouse is in the crosshairs of hackers with a data leak that affects more than a few million users. Clubhouse, the startup that has recently innovated the world of social, with its application “under invitation” has been affected since the last case of data theft from users, which has concluded in the publication of the records themselves in an underground forum, without payment of any sum (the data are publicly available).
This is a file that includes other personal data relating to 1.3 million users of Clubhouse.
User names, ID, URL of photos, followers numbers, account Twitter and Instagram, date of creation of the account and also information about your profile that has left the invitation to the application, are among the information included in this databse, as revealed by CyberNews. With this information, hackers or lone criminals could create phishing looks bells or other schemes based on social engineering.
Clubhouse’s reply – through the representatives themselves, Clubhouse has stated that the making available of users’ own data has not been caused from a bug but also from the operation of the same platform, that is from the way in which it has been constituted.
On the basis of the statement but, it is not clear how this circumstance may be relevant to the affected users from this data leak.
The social API sore “strainer” – Clubhouse’s terms of service clearly prohibit data erasing, that is that automated data exfiltration activity, but its API, as admitted from Clubhouse itself, is available online, and does not have any protection against this practice.
The usage policies are apparently in conflict with the case of Clubhouse: it is a platform “under invitation” but at the same time user data is available to all. In fact, it is enough to understand that API operation and structure to exfiltrate data from millions of users who have subscribed.
A view and proprio incubo from the privacy point of view…
In the current state, a profound turning point on the part of the highest corporate branch would be fundamental, with the implementation of strict security measures also for APIs. Testing APIs in production is important not only to reveal vulnerabilities but also for potential logical deficiencies that can lead to indiscriminate access to user data.
A fundamental problem – the way in which the Clubhouse application has been implemented allows anyone who has a token, or by means of an API, to send a query verse the set of public data relative to the information of the users’ profiles and how much this token seems has no expiration date.
The SQL file posted on the hacker forum includes only sensitive information about Clubhouse and does not include any sensitive data such as credit card details or identity documents.
In the last two weeks, data relating to 533 million Facebook users has been leaked, while there were 500 million in case of data leaking in
LinkedIn, which are added to 1 million and 300 users of Clubhouse.
It is the common treatment that worries: all platforms have also denied only the existence of the problem. Facebook has been similarly violated via APIs, according to a scheme that is becoming more common in light of recent events.
Scraping the contents – scraping the contents is the first step of a common attack model. Digital enterprises often constitute (or integrate) APIs, without paying much attention to the potential abuse of the data they include.
Also LinkedIn, after the accident, had publicly revealed that the platform had not been “violated” from a technical point of view but that the information was public and had been exfiltrated through the leak.
Swascan itself, on 5 April 2021, using the Osint Search Engine’s own instruments, had identified different sales announcements about the data of users present on LinkedIn.
In the specific he had identified:
- A post posted on 3rd of April 2021 at 12:41 PM about the sale of “LinkedIn 1billion (1000 million) record”
- A post published on 11th of Januray 2021 at 05:43 AM related to the sale of “LinkedIn 550 million full profiles, emails, puts, recent data”.
The dangerous consequences of data leakage – accidents of this type do not seem to be destined to be interrupted in the coming months. APIs are a vehicle of functionality and data. Companies that manage social platforms think ahead to the utility, making APIs available for faster deployment.
Hackers know well and continue to target these APIs for database breaches, to reuse publicly available data, for criminal purposes.
The collection of data relating to mail and telephones exposes us to the concrete and tangible risk of:
- Phishing
- Smihing
- Business Email Compromised
- Spam
- Spoofing
- …
Users of all these social platforms should be aware of the risks associated with this leak. It is advised to always pay more attention to suspicious emails and communications, because the risk of becoming the subject of a phishing bell is high after similar events.
SOURCE: FEDERPRIVACY