What happened so far …
In our first thread on Clubhouse (in german) we had only taken a superficial look at Clubhouse.
We saw that Clubhouse uses an external service provider called Agora.io for the voice call functionality. Agora.io is also used by many other apps, including a therapy app. In the thread we found that, among other things, we can easily listen to a room without being displayed to the other room participants if we communicate directly with Agora.
Conversely, you can also be displayed in a room without listening. However, this is not really a problem - after all, even outside Clubhouse you are often present in conversations without really listening.
… and what happened next …
After we published the Twitter thread, we tried to play sound directly through Agora. This still worked after we left the room - we could still participate in conversations.
Of course, we only tested the whole thing in private rooms so as not to disturb anyone. The standard behaviour of Clubhouse in private rooms is that all participants are allowed to speak. Clubhouse also has the feature of a virtual stage, especially for larger, public rooms. Only those who have been brought onto this stage can speak audibly for the whole room, the rest remain in the virtual audience and can only listen. After our previous experience, we suspected something bad, so we moved our test account to the Audience. As expected, everyone in the room was immediately informed that the account could no longer speak and was now in the audience. However, this account could continue to play sound without any problems, which could be heard throughout the room.
Again, the behaviour can be combined with the original discovery - the account can leave the room and then not only continue to listen, but also play sound that is transmitted to everyone in the room.
Unfortunately, the only feature of Clubhouse that a room moderator could use to prevent unwanted participants (and their audio) is also broken: the eject button. This “Remove from Room” button only asks the Clubhouse app of the respective user to leave the room. If the app is modified, it can simply ignore this request and remains in the room.
If you talk directly to the audio service provider Agora, all the moderation options of the Clubhouse app have no effect. The possibility to play sound continues to work until the room is finally closed for everyone.
… next week on zerforschung
We will publish an article with all technical details as well as the tools we built in the course of the tests. But first we want to give Clubhouse enough time to fix the described problems.
We have informed Clubhouse about the problems but have not received any feedback at the time of publication.
However: We have decided to publish this article anyway before fixing the problems, because in our view these problems are unfortunately (too) easy to find and can cause some damage if not known.
However, after a quick skim of the Agora interface documentation and Clubhouse’s use of it so far, we estimate that fixing the problem might be a bit more difficult after all. But the details and a few fun things we found will follow soon, so stay tuned 🚀✨
All our work is done in our spare time, besides our jobs and general pandemic exhaustion. If you like what we do and want to support us so we can do more nonsense like this or something else, you can check out our support page.
Audio in the sample videos: Kmart Radio Jingle & Kmart Gift Certificates Announcement from https://archive.org/details/KmartDecember1992