Clubhouse is a voice-based social network application launched in April 2020. It's getting more and more interest in Italy in the last few days, as we can see from the amount of Facebook posts talking about it, offering or looking for an invite or by the Google Trends, which shows a peak of interest in late January.
Like any new online service, portal or social networking platform, the implications for OSINT could be interesting: we are going to show you a few valuable elements for your Open Source Intelligence analysis, based on our first Clubhouse direct test.
Profiles are linked to mobile numbers
To create and activate an account in this initial phase, you need to be invited with an SMS by another user who has your mobile number in their mobile contact list. The first helpful element for investigative purposes is that the ClubHouse profile is linked to the most used mobile phone number user. As of February 2021, by knowing the mobile phone number of one or more targets, you may trace their account and their profile and social connections present in ClubHouse, just by adding their phone number to your mobile phone contact list.
How the "nominated badge" works
Another interesting aspect on Clubhouse is that the person who invited you is publicly reported in your user profile, in the "nominated badge" entry. by having only two invite available, using one for your own contact still represents an element of trust or at least mutual knowledge.
For example, let me introduce you to this scenario: of (such that) a number whose owner we are looking for, a phone number of which we cannot find any useful information online by using other OSINT techniques. By using Clubhouse it could be possible to know both the currently used profile from which to derive names, aliases etc. those data can be used to start other Osint activities, investigating both the target and the person who invited him/her to Clubhouse who represents a relevant source of information to be aggregated with the other elements in our possession.
At the time of writing, it is not possible to remove the indication of who invited us to Clubhouse, thus eliminating the “nominated badge”. In the Clubhouse knowledge base states that by policy, in general, Clubhouse does not remove the “nominated badge” which indicates who has invited a certain profile on the platform, except in rare situations in which it could be granted (“As a policy we generally do not remove the nominated by badge, as it’s been a positive aspect in the community til date. There are very rare situations in which we may consider doing this.”).
Let's rebuild the invitation chain
It is equally interesting to try to reconstruct the reference chain of Clubhouse invitations, simply sIt is equally interesting to reconstruct the reference chain of Clubhouse invitations, simply starting from the target profile and clicking on the "nominated by" field of each "parent" profile, which essentially indicates who invited the person owning the profile. We can get helpful information by following the reference chain of ClubHouse invitations. All that we have to do is click on the "nominated by" field of each profile to know who invited our target.
Let's test this theory with the profile of an American rapper. First, we check the reliability of the Clubhouse profile (there are several "fake" nicknames) by observing how (if?) the user-id is linked to the rapper's original Twitter account. This is another element of considerable interest for OSINT since authentication is required to link a Twitter account to a Clubhouse profile, and the legitimate owner only can do this.
Once the authentic profile has been identified, possibly also by observing the number of followers, Once the authentic profile has been identified, possibly also by observing the number of followers, following and the groups which it belongs to, you (we) can proceed backwards by following the invitations of (via) the "nominated badges", virtually continuing to the account that was invited first. we should be kept in mind that some user accounts (such as those of particularly famous people or some of the first to be activated in April 2020) may not have the presenter's name, breaking the chain of invitations useful for the OSINT activities.
For OSINT activities on ClubHouse, we should consider that it is possible to register an alias on the platform even without an invitation. Only the intervention of one of our contacts in the address book with a Clubhouse account and at least one invitation after receiving a notification from the system can remove us from the waiting list and allow us to activate and use the account.
Information about the profile's phonebook
Another possible technique that can be applied on ClubHouse is that, by accessing the invitations page, it is possible to view, for each number entered in the telephone book, how many users are already present on Clubhouse among those who have registered their mobile number between contacts. It may seem paradoxical, but the count does not concern our contacts on the Clubhouse, but the profile's one. For example, if for a user we see "150 friends on Clubhouse", it means that the user is in the address book of other 150 subjects registered on Clubhouse, regardless of whether these subjects are our friends or not, and regardless of whether he has been already registered (indeed, once registered, this information will no longer be available).
As proof of this thesis, by activating Clubhouse, I see in the invitation window as (the) subjects with the highest number of friends on Clubhouse the fixed numbers for blocking credit cards (!) and those of the telephone operators' assistance centres, numbers that a lot of people keep stored in their phonebook for emergency situations (the former) or because they are usually already inserted on SIM cards (the latter). For example, let's look at the number of "friends" of the fixed user of a service number which cannot be registered on the Clubhouse but appears to be present in the address book of 109 users who are, in turn, registered on the Clubhouse.
We can say (agree) that the number of "friends on Clubhouse" indicates the "popularity" of the contact among other Clubhouse users: a high number indicates popular subjects or whose users are stored in many telephone directories, therefor a low number indicates subjects with less friends on the Clubhouse, the number “1” indicates that our contact is the only one among the subject's contacts to be present on Clubhouse (toglierei questa specificazione). To verify this, just enter any number in the phonebook and you will see that it will have a popularity of "1". It should be noted that this value will only be visible until the user registers on Clubhouse. Once the number has been linked to an account, it will only indicate that the user has registered a profile and the number of users who have this number in their phonebook will be removed.
Also, consider that ClubHouse can only be accessed via login with a telephone number and SMS sent to the corresponding user: there is no password as already happens in other services such as Medium; this is an additional important element.
An email address is also required
After creating a Clubhouse account, a popup window will ask (without being obliged to do so) to enter an email address, but only for possible verification purposes ("secure your account with a second way to prove who you are"). In this case, a code will be sent to the email address with a link to confirm the actual ownership of this address.
In the "My Account & Profile" section of the Clubhouse knowledge base, it is specified that this e-mail address does not serve as a second authentication factor (in fact, there is no way to enter it, to access (to access what?)) but rather to verify the possession of an account in case of account-related requests ("This e-mail will not be publicly visible, but we may use it to confirm ownership of your account when account-related requests are submitted, so it should be an account that you actively check").
When we register on Clubhouse, a notification is sent to those who have our number among their contacts, even if they are not in our contacts or we have not heard anything from them for years. Considering that Clubhouse requires the insertion of a name and a surname that will be published, it is easy for the phone number to be associated with the actual contact. In this way, an additional way is added to the methods to find out the identity of the owner of a telephone number.
The platform's website
Another consideration for OSINT activities on Clubhouse concerns what is published on the JoinClubHouse.com site: with a simple "site:" we can observe several thousand results, but these are essentially "events". Excluding those with an "-event", only a few results remain. Therefore the profiles of the users are not published on the site, or at least they are not indexed.
Last but not least element to do OSINT with the Clubhouse App: Clubhouse is currently available only for iPhone, so - until the App is made available for Android - if a user has a Clubhouse profile (s)he has an iPhone as well.
For OSINT it would be interesting to track until Clubhouse is not available for other platforms, the users who have gradually registered, thus mapping in some way those who have an iPhone, helpful information in different contexts: profiling, preparation of an attack or infection, phishing, etc.
In summary, the critical elements that can be obtained from a Clubhouse profile, starting both from the telephone number (which nickname is obtained from) and the nickname alone, or from a keyword search, are:
- profile picture (if the user does not have a profile, the one he is using in Google contacts)
- the target voice (accent, way to speaking, etc.)
- followers (you can see the list)
- followings (you can see the list)
- membership groups
- the Twitter and Instagram accounts linked to the profile
- the possession of an iPhone and/or an iPad
Suppose you are worried about your privacy and any implications regarding doxing, which can happen by exploiting the data contained in your Clubhouse profile, and you are thinking about how to limit interactions between the App and your data made public. In that case, the possibilities are really few; other than removing your account from Clubhouse.
Again, the App does not facilitate the removal of an account as to date there is no Clubhouse account closure feature within the App or on the website but, as indicated in the Knowledge Base, The App does not facilitate the removal of an account as to date there is no Clubhouse account closure feature within the App or on the website. But, as stated in the Knowledge Base, you must contact Clubhouse support via email at email@example.com by writing directly from the email entered in your account. Since it does not seem mandatory to enter an email address, the question is how you can remove a Clubhouse account if you no longer have access to your sim (e.g. number change, SIM swap fraud, etc.).
As a closing thought, an interesting in-depth analysis of the privacy issues regarding Clubhouse you may want to read our friend Carola Frediani Guerre di Rete's article (in Italian language).
January 31, 2021