Connect with us

Uncategorized

A race to reverse engineer Clubhouse raises security concerns

Published

on

As live audio chat app Clubhouse ascends in popularity around the world, concerns about its data practices also grow.

The app is currently only available on iOS, so some developers set out in a race to create Android, Windows and Mac versions of the service. While these endeavors may not be ill-intentioned, the fact that it takes programmers little effort to reverse engineer and fork Clubhouse — that is, when developers create new software based on its original code — is sounding an alarm about the app’s security.

The common goal of these unofficial apps, as of now, is to broadcast Clubhouse audio feeds in real-time to users who cannot access the app otherwise because they don’t have an iPhone. One such effort is called Open Clubhouse, which describes itself as a “third-party web application based on flask to play Clubhouse audio.” The developer confirmed to TechCrunch that Clubhouse blocked its service five days after its launch without providing an explanation.

“[Clubhouse] asks a lot of information from users, analyzes those data and even abuses them. Meanwhile, it restricts how people use the app and fails to give them the rights they deserve. To me, this constitutes monopoly or exploitation,” said Open Clubhouse’s developer nicknamed AiX.

Clubhouse cannot be immediately reached for comment on this story.

AiX wrote the program “for fun” and wanted it to broaden Clubhouse’s access to more people. Another similar effort came from a developer named Zhuowei Zhang, who created Hipster House to let those without an invite browse rooms and users, and those with an invite to join rooms as a listener though they can’t speak — Clubhouse is invite-only at the moment. Zhang stopped developing the project, however, after noticing a better alternative.

These third-party services, despite their innocuous intentions, can be exploited for surveillance purposes, as Jane Manchun Wong, a researcher known for uncovering upcoming features in popular apps through reverse engineering, noted in a tweet.

“Even if the intent of that webpage is to bring Clubhouse to non-iOS users, without a safeguard, it could be abused,” said Wong, referring to a website rerouting audio data from Clubhouse’s public rooms.

Clubhouse lets people create public chat rooms, which are available to any user who joins before a room reaches its maximum capacity, and private rooms, which are only accessible to room hosts and users authorized by the hosts.

But not all users are aware of the open nature of Clubhouse’s public rooms. During its brief window of availability in China, the app was flooded with mainland Chinese debating politically sensitive issues from Taiwan to Xinjiang, which are heavily censored in the Chinese cybserspace. Some vigilant Chinese users speculated the possibility of being questioned by the police for delivering sensitive remarks. While no such event has been publicly reported, the Chinese authorities have banned the app since February 8.

Clubhouse’s design is by nature at odds with the state of communication it aims to achieve. The app encourages people to use their real identity — registration requires a phone number and an existing user’s invite. Inside a room, everyone can see who else is there. This setup instills trust and comfort in users when they speak as if speaking at a networking event.

But the third-party apps that are able to extract Clubhouse’s audio feeds show that the app isn’t even semi-public: It’s public.

More troublesome is that users can “ghost listen,” as developer Zerforschung found. That is, users can hear a room’s conversation without having their profile displayed to the room participants. Eavesdropping is made possible by establishing communication directly with Agora, a service provider employed by Clubhouse. As multiple security researchers found, Clubhouse relies on Agora’s real-time audio communication technology. Sources have also confirmed the partnership with TechCrunch.

Some technical explanation is needed here. When a user joins a chatroom on Clubhouse, it makes a request to Agora’s infrastructure, as the Stanford Internet Observatory discovered. To make the request, the user’s phone contacts Clubhouse’s application programming interface (API), which then creates “tokens”, the basic building block in programming that authenticates an action, to establish a communication pathway for the app’s audio traffic.

Now, the problem is there can be a disconnect between Clubhouse and Agora, allowing the Clubhouse end, which manages user profiles, to be inactive while the Agora end, which transmits audio data, remains active, as technology analyst Daniel Sinclair noted. That’s why users can continue to eavesdrop on a room without having their profile displayed to the room’s participants.

The Agora partnership has sparked other forms of worries. The company, which operates mainly from the U.S. and China, noted in its IPO prospectus that its data may be subject to China’s cybersecurity law, which requires network operators in China to assist police investigations. That possibility, as the Stanford Internet Observatory points out, is contingent on whether Clubhouse stores its data in China.

While the Clubhouse API is banned in China, the Agora API appears unblocked. Tests by TechCrunch find that users currently need a VPN to join a room, an action managed by Clubhouse, but can listen to the room conversation, which is facilitated by Agora, with the VPN off. What’s the safest way for China-based users to access the app, given the official attitude is that it should not exist? It’s also worth noting that the app was not available on the Chinese App Store even before its ban, and Chinese users had downloaded the app through workarounds.

The Clubhouse team may be overwhelmed by data questions in the past few days, but these early observations from researchers and hackers may urge it to fix its vulnerabilities sooner, paving its way to grow beyond its several million loyal users and $1 billion valuation mark.

Lyron Foster is a Hawaii based African American Musician, Author, Actor, Blogger, Filmmaker, Philanthropist and Multinational Serial Tech Entrepreneur.

Continue Reading
Comments

Uncategorized

Tim Hortons marks two years in China with Tencent investment

Published

on

Tim Hortons, the Canadian coffee and doughnut giant, has raised a new round of funding for its Chinese venture. The investment is led by Sequoia China with participation from Tencent, its digital partner in China, and Eastern Bell Capital. The round comes two years after Tim Hortons made its foray into China’s booming coffee industry.

Tim Hortons didn’t disclose the amount of its latest fundraise but noted in a social media post that the proceeds will be used for opening more stores, building its digital infrastructure, brand presence, and more.

Tencent, the Chinese social media and entertainment behemoth, first backed the 57-year-old Canadian coffee chain last May. At the time the tie-up was seen as Tencent’s move to counter archrival Alibaba’s alliance with Starbucks to deliver coffee and help the American coffee titan go digital in China.

Tim Horton’s collaboration with the WeChat parent is in a similar vein. It has so far accumulated three million members through its WeChat mini program, a type of lightweight app that runs within the instant messenger. To appeal to young Chinese consumers, Tim Hortons opened an esports-themed cafe with Tencent, China’s biggest gaming company.

Two years into operating in China, Tim Hortons says it has reached storefront-level profitability with a footprint of 150 locations across 10 major cities. It plans to add more than 200 locations in 2021 and reach 1,500 stores nationwide in the next few years.

The dramatic rise and fall of coffee delivery startup Luckin brought the prospects of China’s coffee market to the forefront. Despite the investment frenzy around Luckin and other coffee businesses, coffee drinking still has a relatively low penetration in China compared to countries like the United States and Germany. On the other hand, coffee consumption is growing at a much faster rate of 15% in China, well above the global average of 2%, and is projected to reach 1 trillion yuan ($150 million) in 2025, according to a 2020 report by Dongxing Securities.

Continue Reading

Uncategorized

Bessemer Venture Partners closes on $3.3 billion across two funds

Published

on

Another major VC firm has closed two major rounds, underscoring the long-term confidence investors continue to have for backing privately-held companies in the tech sector.

Early-stage VC firm Bessemer Venture Partners announced Thursday the close of two new funds totaling $3.3 billion that it will be using both to back early-stage startups as well as growth rounds for more mature companies.

The Redwood City-based firm closed BVP XI with $2.475 billion and BVP Century II with $825 million in total commitments.

With BVP XI, it plans to focus on early-stage companies spanning across enterprise, consumer, healthcare, and frontier technologies. 

Its Century II fund is aimed at backing growth-stage companies that Bessemer believes “will define the next century,” and will include both follow-on rounds for existing portfolio companies or investments in new ones.

BVP XI marks Bessemer’s largest fund in its 110-year history. In October 2018, the firm brought in $1.85 billion for its tenth flagship VC fund. This latest fund is its fifth consecutive billion-dollar fund, based on PitchBook data. 

Despite being founded more than 100 years ago, Bessemer didn’t actually enter the venture business until 1965. It’s known for its investments in LinkedIn, Blue Apron and many others, with a current portfolio that includes PagerDuty, Shippo, Electric and DocuSign. Exits include Twitch and Shopify, among many others.

With more money than ever before available for backing startups, the challenge now for VCs is to see how and if they can find (and invest in) whatever will define the next generation of tech. 

“As venture capitalists, we pay too much attention to pattern recognition and matching when in reality, the biggest opportunities exist where those patterns break,” the firm wrote in a blog post today. “Our job is to make perceptive bets on the future, especially those that others will dismiss and ridicule. We are fundamental optimists and strong believers in the power of innovation; our life’s work is putting our reputation, time, and money to help entrepreneurs realize a different future. They’re the ones pioneering something entirely new and obscure – a technology, a business model, a category.

In addition to announcing the new funds, Bessemer also revealed today that it’s brought on five new partners including Jeff Blackburn, who joins after a 22-year career at Amazon, alongside the promotion of existing investors Mary D’Onofrio, Mike Droesch, Tess Hatch, and Andrew Hedin.

Most recently at Amazon, Blackburn served as senior vice president of worldwide business development where he oversaw dozens of Amazon’s minority investments and more than 100 acquisitions across all business lines – including retail, Kindle, Echo, Alexa, FireTV, advertising, music, streaming audio & video, and Amazon Web Services.  

“Having been part of Amazon for more than two decades, I’m excited to begin a new chapter helping customer-focused founders build breakthrough companies,” said Blackburn in a written statement.  “I’ve known the Bessemer team for many years and have long admired their strategic vision and success backing early-stage ventures.” 

With the latest changes, Bessemer now has 21 partners and over 45 investors, advisors, and platform “team members” located in Silicon Valley, San Francisco, Seattle, New York, Boston, London, Tel Aviv, Bangalore, and Beijing. 

“At Bessemer, there’s no corner office or consensus; every partner has the choice, independently, to pen a check. This kind of accountability and autonomy means a founder is teaming up with a partner and board director who thoroughly understands your business and can respond quickly and decisively,” the firm’s blog post read.

Continue Reading

Uncategorized

Daily Crunch: Twitter announces ‘Super Follow’ subscriptions

Published

on

Twitter reveals its move into paid subscriptions, Australia passes its media bargaining law and Coinbase files its S-1. This is your Daily Crunch for February 25, 2021.

The big story: Twitter announces ‘Super Follow’ subscriptions

Twitter announced its first paid product at an investor event today, showing off screenshots of a feature that will allow users to subscribe to their favorite creators in exchange for things like exclusive content, subscriber-only newsletters and a supporter badge.

The company also announced a feature called Communities, which could compete with Facebook Groups and enable Super Follow networks to interact, plus a Safety Mode for auto-blocking and muting abusive accounts. On top of all that, Twitter said it plans to double revenue by 2023.

Not announced: launch dates for any of these features.

The tech giants

After Facebook’s news flex, Australia passes bargaining code for platforms and publishers — This requires platform giants like Facebook and Google to negotiate to remunerate local news publishers for their content.

New Facebook ad campaign extols the benefits of personalized ads — The sentiments are similar to a campaign that Facebook launched last year in opposition to Apple’s upcoming App Tracking Transparency feature.

Startups, funding and venture capital

Sergey Brin’s airship aims to use world’s biggest mobile hydrogen fuel cell — The Google co-founder’s secretive airship company LTA Research and Exploration is planning to power a huge disaster relief airship with an equally record-breaking hydrogen fuel cell.

Coinbase files to go public in a key listing for the cryptocurrency category — Coinbase’s financials show a company that grew rapidly from 2019 to 2020 while also crossing the threshold into unadjusted profitability.

Boosted by the pandemic, meeting transcription service Otter.ai raises $50M — With convenient timing, Otter.ai added Zoom integration back in April 2020.

Advice and analysis from Extra Crunch

DigitalOcean’s IPO filing shows a two-class cloud market — The company intends to list on the New York Stock Exchange under the ticker symbol “DOCN.”

Pilot CEO Waseem Daher tears down his company’s $60M Series C pitch deck — For founders aiming to entice investors, the pitch deck remains the best way to communicate their startup’s progress and potential.

Five takeaways from Coinbase’s S-1 — We dig into Coinbase’s user numbers, its asset mix, its growing subscription incomes, its competitive landscape and who owns what in the company.

(Extra Crunch is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

Everything else

Paramount+ will cost $4.99 per month with ads — The new streaming service launches on March 4.

Register for TC Sessions: Justice for a conversation on diversity, equity and inclusion in the startup world — This is just one week away!

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 3pm Pacific, you can subscribe here.

Continue Reading

Trending