Clubhouse bugs let users vanish in rooms and disrupt them

Critics worry that Clubhouse doesn’t do nearly enough to protect its users’ privacy.

A portrait of a 40 year old woman dressed as a ghost in a white sheet standing outside in the garden...
Larisa Blinova/Moment/Getty Images

Clubhouse bugs allowed users to appear to vanish from rooms yet still participate in their conversations without the permission of room creators, according to cybersecurity researcher Katie Moussouris in a Wired report. Moussouris described the issue as a twofold nightmare scenario. One problem led to what Moussouris calls a "Stillergeist" issue which allowed some users to eavesdrop on rooms without the knowledge of creators.

The other problem was "Banshee Bombing," in which users could verbally harass rooms by invisibly joining the speaker panel. This subsequently rendered user removal from the room impossible since profiles could not be seen or tapped on. The security researcher shared screenshots with Wired, which showed herself in a Clubhouse room with a Wired reporter without her avatar appearing. For a platform that is struggling with fake Android copies, privacy problems, and inflammatory rhetoric, it's just another headache for the iOS-only service to handle.

The problem’s since been fixed — According to Moussouris, the issue with phantom eavesdropping and "Banshee Bombing" took place in March and it has since been fixed. She told Wired that she honored the 45-day disclosure period she offered Clubhouse to fix the hiccup before she went public with the information.

A spokesperson for the audio-only app stated, "We appreciate the collaboration of researchers like Katie, who helped us identify a few bugs in the user experience and allowed us to swiftly address those to remove any vulnerability before any users were affected. We welcome continued collaboration with the security and privacy community as we continue to grow."

Tread carefully — Clubhouse has rectified the issue by dispatching fixes for the bugs but other privacy quagmires remain. For example, Clubhouse records user conversations. It states so in its privacy policy: "Solely for the purpose of supporting incident investigations, we temporarily record the audio in a room while the room is live. If a user reports a Trust and Safety violation while the room is active, we retain the audio for the purposes of investigating the incident, and then delete it when the investigation is complete." If no issue is reported, Clubhouse claims it deletes the audio once the room is gone.

Despite the issues being resolved now, critics worry that Clubhouse's attitude toward these problems is lackadaisical and could harm users. This halfhearted approach to rectifying platform woes is because, researchers theorize, Clubhouse does not have the incentive to sincerely care about user privacy. If the firm wants to continue dominating the audio-only app space, it should consider a serious appraisal of its infrastructure before it’s too late. Of course, the way things are going, it might not have to… people might simply stop using it as they’re able to return to bars and clubs and restaurants and eavesdrop on — or engage with — people instead.