Greetings everyone, I am Tes Sal, a CyberSecurity specialist, bot expert, with 7+ years background in programming.
In this article I’ll like to share one of my interesting findings and my experience with the clubhouse team, the bug I found here is actually really simple. However the interesting thing here is the impact of the vulnerability itself.
The reason I really wanted to write about this is because of how much fun I had finding it, also to clear the air, because a lot of people have been asking me what happened to my followers and lastly to give some knowledge back to the community.
When I first heard about clubhouse in January I found a lot of folks talking about the app about how cool it was, and decided to join and see how I could gain some knowledge and probably help out others. Being a curious fellow(like any other hacker) I decided to dive under the hood and figure out how the application was working. I literally bought an extra Iphone just to achieve this.
I was initially able to find a persistent session token bug meaning the session token doesn’t change even if you login on a separate device, but that wasn’t as interesting as the following unlimited followers vulnerability.
Unlimited Followers Vulnerability
I was reviewing the api calls the application makes when on-boarding a new user when I found out some interesting api calls.
I noticed the applications makes a particular call to the endpoint
/api/follow_multiple which kinds of allows a user to follow multiple clubhouse users to kind of curate the sort of room he would have access to after the on-boarding process.
I decided to tamper with the request and instead of passing different user ids to the
/api/follow_multiple api, I replaced that with a single user_id to see what would happen..
Interestingly I noticed the user id passed, got followed by the amount of times his user_id occurred in the array_list.
Interesting thing to note though was I had tried this same approach earlier with the
/api/follow endpoint which is called when you try to follow a single user and it didn't work.
After the POC (proof of concept) I put up a report in no time with the help of a colleague @wareeq_shile and reached out to the clubhouse team via email, however i didn’t get a response, so i reached out to Paul on LinkedIn and got a response to send the report to email@example.com
This was the last interaction I had with the clubhouse team and I sent several emails after this to confirm If my report was received but didn’t get any response. After 3 weeks I noticed the vulnerability was partially fixed and could not be reproduced but I still had the invalid followers I had given myself(didn’t expect to have the followers for that long), I further sent another email to the team but got no response. Finally in May a followers reset was done by the clubhouse team which then cleared out the invalid followers for me and any other users who also had that sort of invalid followers.
NB: Something that many do not know is that clubhouse.com has a bug bounty program on hackerone (as many other companies do) and also accepts submissions via email(even though they might reply late/not at all).
In this article we’ve seen how a developer can make a flawed assumption, so as for researchers I would advise that if you try an approach and it didn’t work with an api endpoint it doesn’t necessarily mean it wouldn’t work with another api endpoint within the same application, I hope you enjoyed your read hope to see you in my next post, thank you so much for reading and lastly #BeEthical :)