what does "is_blocked" mean?

[Kladdkaka]

Hi!

Nice to see someone already have figured out the api :D

Bit confused though, I tried to "register" by using the start_phone_number_auth, went great and worked with calling complete_phone_number_auth. However when I called the /check_waitlist_status endpoint, it went 403 with "You do not have permission to perform this action."

Tried to call /start_phone_number_auth again and is_blocked was true. I thought I was blocked until I tried the /call_phone_number_auth & /resend_phone_number_auth which would send me the same code again. But /complete_phone_number_auth didn't work this time o:

Not asking for support or anything, just wondering if it occured to you :)

Cheers!

[zhuowei]

I've only gotten "is_blocked":true when I didn't pass all the CH-Locale, CH-AppVersion, and CH-AppBuild headers, so I'm not sure how you're getting this. Maybe try signing in with the actual Clubhouse app and see if you're also blocked there?

[Kladdkaka]

I've only gotten "is_blocked":true when I didn't pass all the CH-Locale, CH-AppVersion, and CH-AppBuild headers, so I'm not sure how you're getting this. Maybe try signing in with the actual Clubhouse app and see if you're also blocked there?

Oh thank you! Yeah, that sounds interesting, I'll give it a try :) Cheers!

[zhuowei]

I'm getting this as well from a new account: it looks like Clubhouse is auto-banning users on register? I don't think they're detecting 3rd party api usage and banning based on that; an actual app user also got auto-banned on register.

[alimartino]

Hi, i got access_token and i try to update my username and name. i mean, i try to register but i can't do it.

"detail": "You do not have permission to perform this action."

is there any to register after getting access_token.

[zhuowei]

@alimartino That sounds like your number is banned. It seems Clubhouse is banning suspicious users after the first login: try registering a new account using the actual Clubhouse app first.

[zhuowei]

TLDR: always create your account with the real app, or Clubhouse bans you on first login.

I bought a few phone numbers on Twilio and tested this:

Not banned:

• real cellphone number, no invite, registered via curl-ing Clubhouse's API (this was tested last week though)
• Twilio, no invite, registered from real app
• Twilio, no invite, registered from real app proxied via Google Cloud VM

Banned on register (API calls after registration returns "You do not have permission to perform this action"; subsequent logins return is_blocked: true):

• Twilio, with invite, registered via api via a CORS proxy in a browser
• Twilio, no invite, registered via CORS proxy in a browser
• Twilio, no invite, CORS proxy on Google Cloud VM

It seems that:

• having an invite or not doesn't seem to matter for autoban
• real or VoIP number doesn't seem to matter.
• Proxy/IP address might be making a difference, or might not
• Clubhouse is checking the request and detecting third-party clients somehow

[Kladdkaka]

Hi!

Wow, great research :O That is really interesting, I have never seen any other app/site being this strict on signup protection.

One thing I noticed is that they are not parsing phone numbers correctly, at least when it comes to phone numbers with a 0 as trunk prefix (for example swedish phone numbers), "+46721234567" and "+460721234567" are parsed as two different numbers, but they are the same and twilio handles them as the same. I could create two accounts on my phone number that both got banned :D

I did my requests with postman, with no proxy and my real phone number (bad idea, hehe). Yet I got banned, I believe I used the correct headers & stuff.

DM me on twitter (@ intresse) if you need a site with rentable phone numbers from real carriers.

[zhuowei]

@Kladdkaka I don't have the proper headers myself, since I tested this using static analysis only instead of capturing the app's traffic. Yeah, it looks like they've stepped up their checks since last week. I tested creating accounts with curl last week and it worked fine then. I'm planning to patch out the certificate pinning in the app, capturing a login from the app, and try to replicate that.

[zhuowei]

I decrypted the app, changed the ROOT_URL in the app's Info.plist to point to an Ngrok tunnel (it turns out the app doesn't actually care about certificate pinning??) and captured some API calls:

https://gist.github.com/zhuowei/7dfec6b5177c106b10e8635fce834c25

I'll try replicating these requests and see if that still causes auto-bans.

[zhuowei]

OK, using these headers seemed to work:

    'User-Agent': 'clubhouse/269 (iPhone; iOS 14.1; Scale/3.00)',
    'CH-Languages': 'en-US',
    'CH-Locale': 'en_US',
    'CH-AppVersion': '0.2.15',
    'CH-AppBuild': '269',
    'CH-UserID': '(null)',
    'CH-DeviceId': uuidv4().toUpperCase(),

Twilio, no invite, CORS proxy on Google Cloud VM, account was not blocked on register. Update: tried again: Twilio, no invite, CORS proxy on Google Cloud VM, account was still not blocked on register.

[Kladdkaka]

OK, using these headers seemed to work:

    'User-Agent': 'clubhouse/269 (iPhone; iOS 14.1; Scale/3.00)',
    'CH-Languages': 'en-US',
    'CH-Locale': 'en_US',
    'CH-AppVersion': '0.2.15',
    'CH-AppBuild': '269',
    'CH-UserID': '(null)',
    'CH-DeviceId': uuidv4().toUpperCase(),

Twilio, no invite, CORS proxy on Google Cloud VM, account was not blocked on register. Update: tried again: Twilio, no invite, CORS proxy on Google Cloud VM, account was still not blocked on register.

Can confirm it also works for me :D Also found out you can prefix a phone number with two "+" to create yet another account, eheh.

[pacess]

Excuse me, if I already have an account that registered on real phone, how can I get me token? Thank you!

[zhuowei]

@pacess You'll need to re-login by calling start_phone_number_auth and complete_phone_number_auth.

(It's probably possible to extract the access token and device ID from an iTunes backup, but I can't think of a reason why.)