Viral lockdown app Houseparty may be aiding hacks; company denies

Viral video chat application Houseparty is allegedly hacking its users, many claimed on social media. A stream of posts on social networking platform Twitter suggest that the app led attackers into compromising users’ social media, e-mail, Uber, Spotify and even online banking accounts. What’s unclear is how exactly this happened.

“BEWARE! I know I’m not the only one with this problem! A few of my friends have been hacked by @houseparty if you look at the Twitter feed! They log into your Spotify from Russia. Get your bank details and can hack it. It’s very simple once you click agree to terms and conditions,” a user tweeted.

In response to the allegations, the company assured users via a tweet that all accounts are safe. It also called the allegations a “smear campaign to harm Houseparty”. It has now offered a million dollar bounty to the first person who can prove that the allegations are indeed a smear campaign.

Cyber security experts are also on Houseparty’s side. Security company Sophos pointed out in a blog post that while there have been many allegations against the app, no one has been able to prove that the company actually hacked its user accounts. However, Sophos also said it hasn’t analysed the app yet, and thus, couldn’t conclude that the app is bug-free.

“To be honest, we can’t tell you that the Houseparty app is bug-free, because we haven’t decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative,” Sophos said in the post.

Sophos also said if the app is harming its users, then they won’t be safe even if they deleted the app. So, it was imperative that they changed existing passwords, used two-factor authentication wherever possible and watched their financial statements carefully. Many users alleged that they couldn’t delete their accounts on their Android phones.

“Hack or not. People need to be able to delete their accounts. It’s AGAINST EU GDPR LAW. You need to fix this. I will be reporting this,” a user wrote on Twitter.

Another security researcher from India told Mint that the “whole thing reeks of a smear campaign”.

Houseparty has existed on Android and iOS app stores for a few years now, but wasn’t very popular worldwide until now. The recent covid-19 (coronavirus) related lockdowns around the world have led many to download the app. Its daily downloads increased from 24,795 per day on 15 February to 651,694 on 25 March, according to reports.

The app was bought by video game publisher Epic Games last year after it started adding games to its platform.