Jack Dorsey says his ‘secure’ new Bitchat app has not been tested for security

San Francisco, CA – Jack Dorsey, co-founder of Twitter and CEO of Block, recently unveiled his new open-source chat application, Bitchat, promoting it as a platform for “secure” and “private” messaging devoid of centralized infrastructure. The app’s design, which leverages Bluetooth and end-to-end encryption rather than traditional internet reliance, positions it as a potentially robust communication tool for environments where internet access is restricted or monitored. According to its white paper, Bitchat’s system architecture inherently “prioritizes” security.

However, Bitchat’s claims of security are swiftly being challenged by cybersecurity researchers, primarily due to Dorsey’s own admission that the app and its underlying code have not undergone any external security review or testing. This critical lack of vetting has raised immediate red flags within the security community.

Following its launch, Dorsey updated Bitchat’s GitHub page with a stark warning: “This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed.” This disclaimer, notably absent at the time of the app’s debut, now features prominently on the project’s main page, further underscored by a recent addition: “Work in progress.”

The urgency of these warnings became apparent when security researcher Alex Radocea uncovered a critical vulnerability allowing impersonation. Radocea detailed in a blog post that Bitchat’s “broken identity authentication/verification” system could be exploited to trick users into believing they are communicating with a legitimate contact when, in fact, they are engaging with an attacker. This flaw specifically impacts the app’s ‘Favorites’ feature, designed to ensure trusted connections between users.

Upon discovering the flaw, Radocea filed a ticket on the Bitchat GitHub project to report the issue, which Dorsey initially marked as “completed” without comment. Dorsey later reopened the ticket, clarifying that security issues could be reported directly on GitHub. TechCrunch’s attempts to reach Dorsey for comment through his Block email address have, as of this report, gone unanswered.

Beyond Radocea’s findings, other users have also raised concerns. Questions have been posed regarding Dorsey’s assertions of Bitchat’s “forward secrecy” – a cryptographic principle that prevents past messages from being decrypted even if encryption keys are compromised. Additionally, a potential buffer overflow bug, a common vulnerability that could lead to data compromise, has been identified and reported.

Radocea’s stern advice is for users to exercise extreme caution: “Security is a great feature to have for going viral. But a basic sanity check, like, do the identity keys actually do any cryptography, would be a very obvious thing to test when building something like this. There are people out there that would take the messaging around security literally and could rely on it for their safety, so the project in its current state could endanger them.” He further retorted to Dorsey’s disclaimer, stating, “I’d argue it has received external security review, and it’s not looking good.” The ongoing discoveries highlight the critical need for comprehensive security audits before Bitchat can be considered a truly secure and reliable communication platform.