Bitchat is an open source chat app that was introduced on Sunday by Block CEO and Twitter co-founder Jack Dorsey. The app promises to provide “private” and “secure” conversation without the need for a centralized infrastructure.
Unlike other texting apps that rely on the internet, this one uses Bluetooth and end-to-end encryption. Bitchat’s decentralized design makes it potentially a safe software for high-risk settings where internet access is restricted or regulated. Bitchat’s system design “prioritizes” security, according to Dorsey’s white paper outlining the app’s protocols and privacy features.
However, security specialists are already questioning the app’s security claims because, according to Dorsey herself, neither the app nor its code have been examined or tested for security flaws.
However, considering that the app and its code have not been examined or tested for security flaws at all—by Dorsey’s own admission—security researchers are already questioning the app’s security promises. “This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals,” Dorsey said on Bitchat’s GitHub website after the launch. Until it has been reviewed, do not use it for production purposes and do not depend on its security in any way.” Although it wasn’t present when the app first launched, this warning is now also visible on Bitchat’s official GitHub project page.
Although it wasn’t present when the app first launched, this warning is now also visible on Bitchat’s official GitHub project page.
As of Wednesday, Dorsey updated GitHub to include the phrase “Work in progress” next to the warning.
This most recent disclaimer was issued in response to security researcher Alex Radocea’s discovery—which was detailed in a blog post—that it is feasible to pose as someone else and fool a person’s contacts into believing they are speaking with the real contact.
Bitchat’s “broken identity authentication/verification” system, according to Radocea, enables an attacker to intercept a user’s “identity key” and “peer id pair”—basically, a digital handshake meant to create a trustworthy connection between two app users. Bitchat designates these connections with a star icon and names them “Favorite.” Allowing two Bitchat users to communicate while being aware that they are speaking to the same individual is the aim of this feature.
TechCrunch sent a request for comment to Dorsey’s Block email address, but he did not reply.
In order to report the security vulnerability he found in the Bitchat Favorites system, Radocea opened a ticket on the GitHub project on Monday. Dorsey quickly and without comment tagged it as “completed.” (Dorsey reopened the ticket on Wednesday, stating that publishing directly on GitHub is the best way to report security vulnerabilities.)
Dorsey’s assertions that Bitchat features “forward secrecy,” a cryptographic approach that guarantees that an attacker cannot decrypt previously delivered messages even if they steal or compromise an encryption key, raised worries from another individual.
Additionally, a potential buffer overflow fault was also disclosed. This kind of security flaw is frequent and allows a hacker to force a device’s memory to spill out to other regions, potentially compromising data.
Users of Bitchat should not yet put their trust in the service, Radocea said.
“Having security is a wonderful way to go viral. However, when creating something like this, it would be extremely clear to verify a basic sanity check, such as whether the identity keys actually do any cryptography, Radocea told TechCrunch. “The project in its current state may put people in danger because there are those who would take the security messaging literally and depend on it for their safety.”
Radocea questioned Dorsey’s warning that Bitchat has not been tested for security, stating his and other people’s results.
“I would contend that it has undergone an external security review, and the results are not encouraging,” he stated.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
