On Sunday, Block CEO and Twitter co-founder Jack Dorsey launched an open source chat app called Bitchat, promising to deliver “secure” and “private” messaging without a centralized infrastructure.
The app relies on Bluetooth and end-to-end encryption, unlike traditional messaging apps that rely on the internet. By being decentralized, Bitchat has potential for being a secure app in high-risk environments where the internet is monitored or inaccessible. According to Dorsey’s white paper detailing the app’s protocols and privacy mechanisms, Bitchat’s system design “prioritizes” security.
But the claims that the app is secure, however, are already facing scrutiny by security researchers, given that the app and its code have not been reviewed or tested for security issues at all — by Dorsey’s own admission.
Since launching, Dorsey has added a warning to Bitchat’s GitHub page: “This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed.”
This warning now also appears on Bitchat’s main GitHub project page, but was not there at the time the app debuted.
As of Wednesday, Dorsey added: “Work in progress,” next to the warning on GitHub.
This latest disclaimer came after security researcher Alex Rodocea found that it’s possible to impersonate someone else and trick a person’s contacts into thinking they are talking to the legitimate contact, as the researcher explained in a blog post.
Rodocea wrote that Bitchat has a “broken identity authentication/verification” system that allows an attacker to intercept someone’s “identity key” and “peer id pair” — essentially a digital handshake that is supposed to establish a trusted connection between two people using the app. Bitchat calls these “Favorite” contacts and marks them with a star icon. The goal of this feature is to allow two Bitchat users to interact, knowing that they are talking to the same person they talked to before.
Dorsey did not respond to TechCrunch’s request for comment sent to his Block email address.
On Monday, Radocea filed a ticket on the GitHub project to ask how to report the security flaw he discovered in the Bitchat Favorites system. Soon after, Dorsey marked it as “completed,” without comment. (Dorsey re-opened the ticket on Wednesday, saying security issues can be reported by posting on GitHub directly.)
Another person reported concerns with Dorsey’s claims that Bitchat has “forward secrecy,” a cryptographic technique that ensures that even if an attacker steals or compromises an encryption key, that attacker still cannot decrypt previously-sent messages.
Someone also pointed out a potential buffer overflow bug, which is a common type of security vulnerability where a hacker can force a device’s memory to spill out to other locations, opening the door for a data compromise.
Radocea warned that Bitchat users should not trust the app yet.
“Security is a great feature to have for going viral. But a basic sanity check, like, do the identity keys actually do any cryptography, would be a very obvious thing to test when building something like this,” Radocea told TechCrunch. “There are people out there that would take the messaging around security literally and could rely on it for their safety, so the project in its current state could endanger them.”
Referring to his and other people’s findings, Radocea criticized Dorsey’s warning that Bitchat has not been tested for security.
“I’d argue it has received external security review, and it’s not looking good,” he said.
