If you’re at home right now – and who isn’t? – then you’ve probably heard of Houseparty.

It’s a social networking app that came out back in 2015 and was bought by Epic Games – famous for Unreal and Fortnite – in the middle of 2019.

The name gives you a good idea of what is does: simply put, you go online, hang out and other members (players?) can join you in your “room” and engage in face-to-face chat, or as close to face-to-face as you can get in a virtual world.

Think of it as a multiuser video call that friends and family – or, indeed, anyone, if that’s your thing – can wander in and say, “Hi.”

As the app makers themselves put it early last year:

We’re the face-to-face social network bringing friends together for live video hangouts. Now, with the Heads Up! game available in app, we’re introducing a new way for users to spend time together.

[…]

Houseparty only works when people are online together. There’s no liking, commenting, or scrolling. Instead, the Houseparty experience brings empathy to online communication by requiring in-the-moment conversations and facilitating casual “drop-ins” from friends.

Imagine a video calling service, like Zoom or Skype, but without calls and conferences and meetings – it’s like arriving at the pub to see who’s there, rather than booking a table at a bistro and meeting a specific group who have all agreed to the time and place.

And, as Houseparty noted in the same article, given that the North American winter was in full swing at the time:

Whether snowed in, away from home, or just too cozy to leave bed, here’s another way to bond with your closest friends when you can’t be together!

For “snow” read “coronavirus lockdown” and you can understand why the app has become hugely popular in the last few weeks, as people try to maintain a social life of sorts when they aren’t allowed out to meet other people at all.

Has the party gone wrong?

Well, the Houseparty team have suddenly been turned into the bad guys, with breathless comments on other social networks warning you to stop using the app right away:

If anyone is using that house party app DELETE IT My friends email account been hacked into by it And managed to get bank account details too and has hacked that. I've seen a few other people saying this too on twitter. I also keep getting dodgey emails. Just a warning x

Is there any truth in this?

To be honest, we can’t tell you that the Houseparty app is bug-free, because we haven’t decompiled or analysed it, and even if we had, working out that an app is totally free of vulnerabilities is a close-to-impossible exercise, as are many tasks where you are expected to prove a negative.

But the claim in the post above is not that there’s a bug that’s being exploited in the app.

Instead, to us the post seems very clearly to imply that that Houseparty is a rogue app that is actively breaking into every part of your digital life and plundering it in a determined burst of criminality.

And as unlikely as that sounds, and for all that Houseparty itself has stated this…

..there are pages of counter-tweets insisting that…

BOYCOTT HOUSEPARTY, just found out that's how my Spotify was hacked and how many others are being hacked on various things DELETE HOUSPARTY!!!!! They are hacking into spotifys, snapchats and even online banking!!! Didn’t realise what was happening when i got these emails but is 100% that houseparty app!! Three new logins to my spotify and someone tried to reset my password for netflix!! Not worth it the risk

Well, here’s the thing.

There’s one thing missing in all of these aggressive!!! and SHOUTY!!!!! claims, and that is evidence.

What to do?

A few calm voices on Twitter are asking the obvious question, which is:

where's the evidence it was from houseparty? How do you know this had happened because of house party tho?

That’s a vital point to consider, and not just because it’s the ethically correct thing to do.

After all, if any of this “hacking” behaviour is not down to Houseparty, which is a mainstream app published by a well-known software company in Apple’s and Google’s official online stores…

…then deleting the app and feeling virtuous about closing your account is not going to help you, because you will still be at risk but will think you aren’t.

Our advice is simple:

  • Don’t accuse Houseparty or Epic Games of malfeasance without strong evidence. The fact that lots of people repeated the same condemnatory text on Twitter proves nothing. If you aren’t part of the solution then you are part of the problem.
  • Don’t assume that deleting Houseparty will fix your problems. The idea that all the listed symptoms above might suddenly appear on account of a single app has to be considered extremely unlikely, in which case removing the app will leave you at risk when you think you are safe.
  • Do visit the Houseparty settings and decide how open you want to be. Do you want your rooms to be “locked” so you meet new people by invitation only? If not, or if you are scared of the app because trolls have been wandering into your online life, consider dialling back your openness rather than deleting the app but not changing your behaviour. Go through the same exercise for all your social media accounts.
  • Do turn on 2FA (two-factor authentication) for any online accounts that support it. Don’t make it easy for someone who steals your password – which is more likely to happen via phishing that in any other way – to login to all your accounts and take them over.
  • Do change passwords and watch financial statements carefully if you think your accounts have been hacked. Whether you think a specific product is to blame or not, just removing one app from your phone is not enough to “unhack” accounts that have already been taken over.

We’ll update this article if we learn any more genuine information – until then, please don’t blindly repeat other people’s unsubstantiated claims, because you can’t make something true simply by saying it over and over again.



Beratung Consulting

Beratung Consulting are dedicated to Security solutions and are a trusted Sophos Partner.

Sophos Authorised Partner