How Clubhouse user scraping and social graphs

Intro

Red Team projects have become a routine for many pentest companies quite a long time ago. In Hexway, we don’t do them a lot only because our main focus is on collaborative pentest platform for Red Team, Hive.
But in this case, we couldn’t resist — the project seemed to be very promising.We won’t go into detail on the project itself but rather focus on one of its parts.

  • LinkedIn
  • Facebook

Clubhouse? What?!

Clubhouse is a voice-based social network. It was popular for a couple of weeks in February 2021.

  • Users mostly sign up with their real names, photos, and links to other social media
  • It’s quite easy to get into a room with interesting people, who are often hard to reach through traditional channels like email, LinkedIn, etc.
  • Our experience tells us that people are suspicious of cold emails with attachments and don’t open them. But in the context of an informal social platform, they seem to be less alert, which is good for RedTeam.
  1. Find our target in Clubhouse
  2. Wait until they participate in a room as a speaker
  3. Join the room
  4. Try to engage them in a conversation. Get them interested and move the conversation over to email
  5. Send them an email with the attachment and payload
  6. The target opens our docx
  7. Profit!

First troubles

First, we registered in Clubhouse. That was easy! We’re looking for our target … and find nothing. We couldn’t find them by their name or nicknames on other platforms. Unfortunately, you can’t search users by profile description or Twitter/Instagram accounts. So, they are not on Clubhouse? Maybe they have an Android?

This is the way!

Okay, chin up. Our target could be using a fake name not to reveal themselves and participate in rooms dedicated to non-work-related topics. It’s time to find out. Let’s try to use the power of social graphs.

  1. Get their list of followers and their accounts
  2. Get the list of users they follow and their accounts
  3. Get the lists of users of the clubs these accounts are in
  4. Filter all these users by “X corp” in the About profile section
  5. Make social graphs to find our target in someone’s connections
  • “following” connections
  • “follower” connections
{
"user_profile":{
"user_id":4,
"name":"Rohan Seth",
"displayname":"",
"photo_url":"https://clubhouseprod.s3.amazonaws.com:443/4_b471abef-7c14-43af-999a-6ecd1dd1709c",
"username":"rohan",
"bio":"Cofounder at Clubhouse ?? (this app!) and Lydian Accelerator ? (non profit for fixing genetic diseases)",
"twitter":"rohanseth",
"instagram":"None",
"num_followers":5502888,
"num_following":636,
"time_created":"2020-03-17T07:51:28.085566+00:00",
"follows_me":false,
"is_blocked_by_network":false,
"mutual_follows_count":0,
"mutual_follows":[],
"notification_type":3,
"invited_by_user_profile":"None",
"invited_by_club":"None",
"clubs":[],
"url":"https://www.joinclubhouse.com/@rohan",
"can_receive_direct_payment":true,
"direct_payment_fee_rate":0.029,
"direct_payment_fee_fixed":0.3
},
"success":true
}

Example 1. Get the information about the user chipik and all of their followers and followed the accounts.

~python3 clubhouse-graphs.py -u chipik --followers --following
|------------|-----------|-------------|--------------------------------------------------------------------------------------------|----------|------------------------|---------|-----------|-----------|-----------|------------|-----------------|
| user_id | name | displayname | photo_url | username | bio | twitter | instagram | followers | following | invited by | invited by name |
|------------|-----------|-------------|--------------------------------------------------------------------------------------------|----------|------------------------|---------|-----------|-----------|-----------|------------|-----------------|
| 1964245387 | Dmitry Ch | | https://clubhouseprod.s3.amazonaws.com:443/1964245387_428c3161-1d0e-456e-b2a7-66f82b143094 | chipik | - hacker | _chipik | | 110 | 96 | 854045411 | Al Fova |
| | | | | | - researcher | | | | | | |
| | | | | | - speaker | | | | | | |
| | | | | | | | | | | | |
| | | | | | Do things at hexway.io | | | | | | |
| | | | | | tg: @chpkk | | | | | | |
|------------|-----------|-------------|--------------------------------------------------------------------------------------------|----------|------------------------|---------|-----------|-----------|-----------|------------|-----------------|

Example 2. Get the list of the participants of “Cybersecurity Club”

~python3 clubhouse-graphs.py --group 444701692
[INFO ] Getting info about group Cybersecurity Club
[INFO ] Adding member: 1/750
[INFO ] Adding member: 2/750
...
[INFO ] Adding member: 749/750
Done!
Check file ch-group-444701692.html with group's users graph

Example 3. Find all users who allegedly work/worked at the WIRED magazine and their followers and followed the accounts.

~python3 clubhouse-graphs.py --find_by_bio wired
[INFO ] Searching users with wired in bio
[INFO ] Adding 1/100
[INFO ] Adding 2/100
...
[INFO ] Adding 100/100
Done!
Find graph in ch-search-wired.html file

Example 4. Clubhouse invitation chain

To sign up in Clubhouse, you need an invitation from a Clubhouse user. We can use that fact as additional evidence of connections between accounts.

~ python3 clubhouse-graphs.py -I kevinmitnick
[INFO ] Getting invite graph for user kevinmitnick
Kevin Mitnick<--Maite Robles
Maite Robles<--Roni Broyde
Roni Broyde<--Alex Eick
Alex Eick<--Summer Elsayed
Summer Elsayed<--Dena Mekawi
Dena Mekawi<--Eric Parker
Eric Parker<--Global Mogul Chale
Kojo Terry Oppong<--Shaka Senghor
Shaka Senghor<--Andrew Chen
Done! Find graph in ch-invitechain-kevinmitnick.html file

Results

We have collected the users, filtered them by jobs, and built a graph showing connections between them (followers, followed, invitations). Thus, we found a user with a dog on a scooter as their profile pic and no bio. This user is followed by almost all the found X corp employees but follows just one of them. Finally, the user’s name contained the target’s initials, so we felt safe to assume it’s them.

Takeaways

  • Do not limit yourself to “standard” social engineering channels.
  • Be careful with the information you put out on social media, especially if it concerns your current or previous employment.
  • Most likely, the popularity of Clubhouse has passed. But there are a lot of users with real data, which can be parsed easily. All that makes us think that someone could already have collected a database of Clubhouse users, and some time later it may end up leaked.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Hexway

Hexway

A platform for pentest management and collaboration