In the case of Clubhouse, an API call was made resulting in the token exchange routed through the app vendor servers to establish a connection between users. The information is then sent unencrypted, containing metadata about the channel, such as whether a user has requested to join a chatroom, the users Clubhouse id number and whether they have muted themselves. This is where the application developers introduced an Excessive Data Exposure Threat #3 on OWASP API Top 10 list
https://t.co/eKyPg0ZiWC