Houseparty: How safe is Epic Games' video chat app?
- Published
The messages began circulating at the weekend: "Delete the Houseparty app, it's hacked my Spotify account!"
Like many rumours, the posts went viral across both public networks, like Twitter and Facebook, and closed forums on WhatsApp and Snapchat.
They have become so widespread that Houseparty itself says it is a victim of a "paid commercial smear campaign".
The US firm's owner Epic Games is now offering $1m (£803,000) bounty for evidence that a "malicious actor" is behind the claims.
Allow Twitter content?
This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read Twitter’s cookie policy, external and privacy policy, external before accepting. To view this content choose ‘accept and continue’.
So is Houseparty hacking people?
The consensus in the information security world is that it's highly unlikely the app is actively breaking into people's other accounts.
Although relatively unknown until the pandemic, Houseparty was acquired last June by the well-established company behind the hit game Fortnite.
"These posts seem very clearly to imply that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality," says Paul Ducklin a researcher from cyber-security company Sophos.
"But this is a mainstream app published by a well-known software company in Apple's and Google's official online stores."
That's not to suggest that Houseparty is too big to get hacked. There are numerous examples of well-resourced companies having flawed products and many other examples of organisations inaccurately denying they have been hacked, either knowingly or not.
However, the nature of this incident isn't consistent with usual cyber-criminality.
"Normally when a cyber-crime group breaches a company or downloads a user account database, the data is sold at a high price and used very carefully," explains Elliott Thompson, consultant at SureCloud.
"If a scam group purchased data for $10,000, it wouldn't make sense financially to burn the data by trying to steal accounts for streaming services.
"Similarly, if the breach was widely available, it would typically appear on public forums and we've certainly not seen anything like that."
Experts say the alleged breaches are probably linked to unrelated hacks, and it's a coincidence that people are reporting falling victim shortly after downloading the chat app.
"When people use the same passwords and email addresses for many different services, hackers only need to get access to one of those website databases and they suddenly have access to all your accounts," Mr Ducklin adds.
"With Houseparty being the new app on so many people's phones, this could be why people are pointing fingers in that direction right now."
Is there a co-ordinated effort to smear Houseparty?
Epic Games certainly seems to suggest there is an organised campaign.
"Our investigation found that many of the original tweets spreading this claim have been deleted and we've noticed Twitter accounts suspended," it says.
But the BBC spoke to two people whose posts were shared widely and they don't appear to be in any way co-ordinated or following paid orders.
One woman said she posted a warning and advice on how to delete the app simply because she wanted to help others.
Another 26-year-old woman from Scotland tweeted that she and her friend's Spotify, Amazon, PayPal and online bank accounts had been hacked since downloading Houseparty.
Speaking to the BBC by phone, she admits she has no evidence to link Houseparty to her compromised Spotify account. She says she only made the connection after seeing a screenshot of someone else making a similar claim.
"Me and my friends have used Houseparty almost every night since the virus started and we really enjoyed playing the games as a group but then dodgy stuff started happening," she explained.
"I got an email from Spotify about suspicious activity saying someone was trying to log in to my account so I changed my password. This has only happened since I downloaded the app, and when I told my group chat about it, a couple of people also said weird stuff had happened to them so we deleted it and I warned others."
The woman acknowledges she uses the same password and email across several online services, so was already at relatively high risk.
Is the app safe then?
Epic Games insists its customer data is safe and secure.
"Passwords are kept in a secure database, salted and hashed, in line with best industry practices," says a spokesman.
And security experts - who are now examining the product in detail - say nothing obvious stands out.
"The permissions don't ring any privacy alarm bells for me," says Lukas Stefanko from Eset.
"The app provides video chats with your friends so it is logical that it asks for access to camera, contacts, location, that sort of thing. I haven't found any shady misusing of data."
Some of the apps' functions have caused concern though for another reason - child safety.
"Although the app is relatively secure as users can create 'rooms' and pick only specific names of the people to talk with, if a child doesn't 'lock' their chat room and choose private settings, others can pop into the video chat," warns the charity Internet Matters.
"So it's important to show and sit down with your child to switch privacy filters and other controls on when video chatting. This keeps video chats private and secure."
- Published31 March 2020