Jack Dorsey’s ‘Secure’ Bitchat App Lacks Security Testing
▼ Summary
– Jack Dorsey launched Bitchat, an open-source chat app promising secure, private messaging without centralized infrastructure, using Bluetooth and end-to-end encryption.
– Security researchers are scrutinizing Bitchat’s claims, as the app lacks external security reviews and may contain vulnerabilities, per Dorsey’s own warning on GitHub.
– A security flaw was found allowing impersonation by intercepting identity keys, undermining the app’s “Favorite” contacts feature designed for trusted connections.
– Additional concerns were raised about Bitchat’s “forward secrecy” claims and a potential buffer overflow bug, further questioning its security reliability.
– Security researcher Alex Rodocea warned users not to trust Bitchat yet, criticizing its untested security claims and potential risks to user safety.
Block CEO Jack Dorsey’s newly launched Bitchat messaging app, which promises decentralized and secure communication, is raising eyebrows among cybersecurity experts due to its untested security claims. The Bluetooth-based platform, designed to operate without internet connectivity, initially marketed itself as a private alternative to traditional messaging services. However, concerns emerged almost immediately after launch when researchers identified critical vulnerabilities in its authentication system.
Dorsey himself later added a prominent disclaimer to Bitchat’s GitHub page, stating the software “has not received external security review” and warning against production use. This admission came after security analyst Alex Rodocea demonstrated how attackers could easily impersonate trusted contacts by intercepting identity keys, a fundamental flaw in the app’s verification process.
The issues don’t stop there. Questions have been raised about Bitchat’s implementation of forward secrecy, a crucial encryption feature that prevents past messages from being decrypted if a key is compromised. Additionally, potential buffer overflow vulnerabilities, a classic security weakness, were flagged by contributors reviewing the open-source code.
Despite these red flags, Dorsey initially marked Rodocea’s GitHub report as “completed” without addressing the findings, only reopening the ticket days later with vague instructions for submitting security concerns. The lack of transparency has fueled skepticism, with Rodocea emphasizing that early adopters risk placing dangerous trust in an unvetted system.
While decentralized messaging holds promise for censorship-resistant communication, Bitchat’s rushed rollout highlights the pitfalls of prioritizing hype over rigorous security testing. For now, experts advise treating the app as experimental rather than relying on it for sensitive exchanges. The project’s future hinges on whether Dorsey’s team can address these flaws before real-world users face consequences.
(Source: TechCrunch)
