Houseparty, the app that found itself in a bright spot of viral user attention owing to the global stay-at-home mandates, has announced a million-dollar bounty for anyone that finds proof that other applications on users' phones were being hacked as a result of the Houseparty app. Responding to a sudden explosion of allegations that a security flaw in the app was causing other services to be remotely infiltrated by hackers, Houseparty sent out an official response on Twitter earlier today, saying:
"We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to firstname.lastname@example.org. We have spent the past few weeks feeling humbled and grateful that we can be such a large part of bringing people together during such a hard time."
We are investigating indications that the recent hacking rumors were spread by a paid commercial smear campaign to harm Houseparty. We are offering a $1,000,000 bounty for the first individual to provide proof of such a campaign to email@example.com.— Houseparty (@houseparty) March 31, 2020
Houseparty's denial of a hack or a breach of its protocols comes in line with cyber security researchers claiming that there is indeed no proof of a vulnerability in the source code of the Houseparty app, which may enable remote access attackers to exploit other devices too. Manan Shah, chief executive of cyber consultancy firm Avalance Global Solutions, told News18 that there is no proof of such vulnerabilities in the Houseparty app, and although similar cyber crime activities may be on the rise globally, the same may not be directly linked to the Houseparty app.
Similar thoughts are echoed by John Shier, senior security advisor at Sophos, who attempts to clarify the reasons behind Houseparty facing the sudden flak. In a statement shared with News18, he says, "One likely scenario is that the Houseparty app is the last app many users may have installed and registered using the same credentials as other apps, such as Netflix, Spotify and countless others. Criminals are constantly using old, compromised credentials to access online services in credential stuffing attacks. Correlating these two events seems to be what's causing all the fuss."
That said, the Houseparty app has been noted to have a whole bunch of other privacy related concerns. The first of the bunch is data collection, with the Houseparty app reportedly collecting sensitive user data such as device movement details, location data, contacts and other identifiers. Data privacy law practitioner Suzanne Vergnolle revealed on Twitter a clause from Houseparty's user agreement and disclosure document, which states, "With respect to requests for deletion (of your private data), we'll take steps to delete your information as soon as we can, but some information may remain in archived/backup copies for our records or as otherwise required by law."
The "méchant" (bad) Internet could collect your personal data.
House Party doesn't take responsibility for securing its information systems. Regardless, such declaration is unenforceable under GDPR. pic.twitter.com/ePFATL1ciQ
A second clause from Houseparty's privacy clause reveals an even more worrying approach, which states, "The internet cannot be guaranteed to be 100 percent secure, and we cannot ensure or warrant the security of any information you provide to us. We do not accept liability for unintentional disclosure." In other words, any data that Houseparty collects about you is almost certainly gone from your hands, and the very presence of such clauses make good reason to not trust a service that blatantly disregards the information and privacy of its users.
As a user, you should be warned — while using the Houseparty app will indeed bring you closer to your friends, you might just be putting your own, and your friends' privacies at risk.