Crashing the party: beware the cyber risks of virtual meet-up apps like Houseparty
- Written by Mohiuddin Ahmed, Lecturer of Computing & Security, Edith Cowan University
Social gatherings with friends and family are an essential part of being human. So it’s no surprise, with real-life gatherings limited to just two people, that people are flocking to apps that can keep us connected virtually.
The breakout hit has undoubtedly been Houseparty, which bills itself as a “face to face social network”, allowing simultaneous video chat in groups of up to eight users.
But with the app’s booming popularity come a growing number of questions about how safe and secure these kinds of apps really are.
Read more: 'Zoombombers' want to troll your online meetings. Here's how to stop them
Although Houseparty has been around since 2016, the COVID-19 pandemic has sent it stratospheric. Last month it reportedly shot from 130,000 downloads a week to 2 million.
Its “parties” are initiated by invitation, usually from the users’ phone contact list. Other options include linking to Facebook, or finding users based on location.
It can run on both Android and iOS devices, giving it a significant advantage over services such as Apple’s FaceTime, which are restricted to specific platforms.
But House Party isn’t the only way for people to hang out virtually. Netflix Party, for example, allows friends to simultaneously stream content via Google’s Chrome browser. The tool also comes with a chat functionality that allows viewers to discuss the action, like a virtual version of Gogglebox (minus the TV crews).
Some users may choose to use more traditionally business-oriented conferencing tools like Skype or Zoom, although they lack the hipster-chic of the party apps. Zoom in particular is grappling with recent bad publicity relating to security vulnerabilities.
Privacy at risk
Unlike Facebook, which allows friend requests between total strangers, Houseparty and Netflix Party seem to have set a higher privacy standard at the outset, by virtue of their invitation-only policies. But this process is not as watertight as it might sound.
For example, the Houseparty app does not require any authentication of the identity of the user, as it only requires validation of the device via a code sent to the user’s phone.
There is also no age verification, although admittedly this is difficult to implement successfully.
Read more: Restricting underage access to porn and gambling sites: a good idea, but technically tricky
Some Houseparty users have also been surprised at the ease with which the live video chats can be initiated, sometimes unwittingly – which presents clear privacy problems.
The app’s default settings also allow gatecrashers to enter virtual parties – something that can only be prevented by changing the settings to “lock” the session.
Cyber crime
It would be relatively simple for a cyber-criminal, with the help of a stolen smartphone, to exploit virtual parties. Most Facebook users would avoid accepting a friend request from someone they don’t know, but Houseparty’s single-factor identification makes it fairly straightforward to pose as someone’s friend.
Once connected, criminals could exploit their victims in various ways, such as by coercing them into giving up money or personal details. There is also a risk that bored or unwary users may be more willing to connect with strangers during extended stays at home.
Younger users, particularly teens using devices without parental scrutiny, may be particularly vulnerable to this kind of exploitation.
Taking it outside
Cyber-criminals can also copy the apps’ notifications to trick users into clicking a link that actually takes them elsewhere.
To send invitations to those who are not already using the app, Houseparty needs permission to access the users’ contact list. This allows the app to invite someone with a link via SMS. The SMS is quite brief, for example:
We need to talk. https://get.houseparty.com/yourpartycode
It would be simple to create a similar-looking URL that directs users not to Houseparty but instead to a malicious site that installs spyware or other malware on their device. There is no evidence yet of such attempts via Houseparty, but similar SMS scams are already widespread elsewhere.
Netflix Party is similarly vulnerable to phishing attacks. A fake Netflix Party link could become a nightmare for victims if their identity is stolen during the lockdown period.
Read more: Everyone falls for fake emails: lessons from cybersecurity summer school
Just as working from home poses cyber dangers, so too do our social activities during lockdown.
That is especially the case given that the blurring of home and work life makes it more likely that people will be undertaking social activities on their work devices. Losing sensitive corporate information would certainly be no party.
Authors: Mohiuddin Ahmed, Lecturer of Computing & Security, Edith Cowan University