Jack Dorsey Says His ‘secure’ New Bitchat App Has Not Been Tested For Security

On Sunday, Block CEO and Twitter co-founder Jack Dorsey launched an unfastened root chat app called Bitchat, promising to present “secure” and “private” messaging without a centralized infrastructure.

The app relies connected Bluetooth and end-to-end encryption, dissimilar accepted messaging apps that trust connected nan internet. By being decentralized, Bitchat has imaginable for being a unafraid app successful high-risk environments wherever nan net is monitored aliases inaccessible. According to Dorsey’s white paper detailing nan app’s protocols and privateness mechanisms, Bitchat’s strategy creation “prioritizes” security. 

But nan claims that nan app is secure, however, are already facing scrutiny by information researchers, fixed that nan app and its codification person not been reviewed aliases tested for information issues astatine each — by Dorsey’s ain admission.

Since launching, Dorsey has added a warning to Bitchat’s GitHub page: “This package has not received outer information reappraisal and whitethorn incorporate vulnerabilities and does not needfully meet its stated information goals. Do not usage it for accumulation use, and do not trust connected its information whatsoever until it has been reviewed.” 

This informing now besides appears connected Bitchat’s main GitHub task page, but was not location astatine nan clip nan app debuted.

As of Wednesday, Dorsey added: “Work successful progress,” adjacent to nan informing connected GitHub. 

This latest disclaimer came aft information interrogator Alex Rodocea recovered that it’s imaginable to impersonate personification other and instrumentality a person’s contacts into reasoning they are talking to nan morganatic contact, as nan interrogator explained successful a blog post. 

Rodocea wrote that Bitchat has a “broken personality authentication/verification” strategy that allows an attacker to intercept someone’s “identity key” and “peer id pair” — fundamentally a integer handshake that is expected to found a trusted relationship betwixt 2 group utilizing nan app. Bitchat calls these “Favorite” contacts and marks them pinch a prima icon. The extremity of this characteristic is to let 2 Bitchat users to interact, knowing that they are talking to nan aforesaid personification they talked to before. 

Dorsey did not respond to TechCrunch’s petition for remark sent to his Block email address. 

A screenshot showing an illustration of a chat wherever an attacker has impersonated “Bob” successful a chat pinch “Alice,” which Bitchat made it look for illustration it was really coming from Bob. (Image: Alex Rodocea)

On Monday, Radocea revenge a summons connected nan GitHub task to inquire really to study nan information flaw he discovered successful nan Bitchat Favorites system. Soon after, Dorsey marked it arsenic “completed,” without comment. (Dorsey re-opened nan ticket connected Wednesday, saying information issues tin beryllium reported by posting connected GitHub directly.)

Another personification reported concerns pinch Dorsey’s claims that Bitchat has “forward secrecy,” a cryptographic method that ensures that moreover if an attacker steals aliases compromises an encryption key, that attacker still cannot decrypt previously-sent messages.

Someone besides pointed out a imaginable buffer overflow bug, which is simply a communal type of information vulnerability wherever a hacker tin unit a device’s representation to spill retired to different locations, opening nan doorway for a information compromise.

Radocea warned that Bitchat users should not spot nan app yet. 

“Security is simply a awesome characteristic to person for going viral. But a basal sanity check, like, do nan personality keys really do immoderate cryptography, would beryllium a very evident point to trial erstwhile building thing for illustration this,” Radocea told TechCrunch. “There are group retired location that would return nan messaging astir information virtually and could trust connected it for their safety, truthful nan task successful its existent authorities could endanger them.”

Referring to his and different people’s findings, Radocea criticized Dorsey’s informing that Bitchat has not been tested for security. 

“I’d reason it has received outer information review, and it’s not looking good,” he said.