Excessive Data Exposure is a threat that can be introduced by many things, including error messages that show too much information or even displaying obfuscated information.

In the case of Clubhouse, an API call was made resulting in the token exchange routed through the app vendor servers to establish a connection between users. The information is then sent unencrypted, containing metadata about the channel, such as whether a user has requested to join a chatroom, the user’s Clubhouse id number and whether they have muted themselves. This is where the application developers introduced an Excessive Data Exposure Threat #3 on OWASP API Top 10 list

Back to Main