On Sunday, Block CEO and Twitter co-founder Jack Dorsey launched an open source chat app called Bitchat, pledged to provide “safe” and “private” messaging without a centralized infrastructure.
Unlike traditional messaging apps that rely on the internet, this app relies on Bluetooth and end-to-end encryption. By being decentralized, Bitchat could become a secure app in a high-risk environment where the Internet is incapable of being monitored or accessed. According to Dorsey's white paper detailing app protocols and privacy mechanisms, Bitchat's system design “prioritizes” security.
However, given that the app and its code have not been reviewed or tested for security issues, the claim that the app is safe has already faced scrutiny by security researchers, given that it has not been reviewed or tested for security issues at all by Dorsey's own admission.
Since its launch, Dorsey has added warnings to Bitchat's GitHub page. “This software has not received external security reviews, may contain vulnerabilities and does not necessarily meet the stated security goals. It should not be used for production use.
This warning is currently also visible on Bitchat's main Github project page, but it was not at the time the app debuted.
As of Wednesday, Dorsey added:
This latest disclaimer comes after researchers discovered that security researcher Alex Rodosia, as explained in a blog post, is thinking that she is pretending to be someone else and tricking people into talking to legal contact.
Rodocea writes that Bitchat has an “Identity Authentication/Verification” system that allows attackers to intercept someone's “ID key” and “peer ID pair.” This is a digital handshake that is essentially supposed to use an app to establish a trustworthy connection between the two of you. Bitchat calls these “favorite” contacts and marks them with a star icon. The goal of this feature is to allow two Bitchat users to interact.
Dorsey did not respond to TechCrunch requests for comments sent to the block email address.
On Monday, Radocea submitted a ticket to the GitHub project and asked how to report a security flaw it discovered on Bitter's favorite system. Shortly afterwards, Dorsey marked it “completed” without comment. (Dorsey resumed tickets on Wednesday, saying security issues can be reported by posting directly to GitHub.)
Another reported concern over Dorsey's claim that Bitchat has “Forward Screcy,” a encryption technology that ensures that even if an attacker steals or compromises the encryption key, it cannot decrypt messages that the attacker centres previously.
Someone pointed out a potential buffer overflow bug. This is a common type of security vulnerability that allows hackers to sweep the device's memory elsewhere and open the door to compromise data.
Radocea warned that Bitchat users shouldn't trust the app yet.
“Security is a great feature to get viral. But just like identity keys actually do encryption, basic sanity checks are very obvious to test when building something like this,” Radsea told TechCrunch. “There are people out there who can literally embrace security and rely on it for their safety, so that current state projects could put them at risk.”
Referring to his and others' findings, Radosia criticized Dorsey's warning that Vichat has not been tested for security.
“I would argue that I had an external security review, but it doesn't look good,” he said.