Jack Dorsey's Bitchat App Untested for Security

New Open-Source Chat App, Bitchat, Launched by Jack Dorsey

Jack Dorsey, co-founder of Twitter and CEO of Block, introduced Bitchat on Sunday. This new application is an open-source chat platform designed to provide “secure” and “private” messaging capabilities.

Unlike conventional messaging applications that depend on internet connectivity, Bitchat utilizes Bluetooth technology and end-to-end encryption. This decentralized approach positions Bitchat as a potentially secure communication tool in environments with restricted or monitored internet access.

Security Concerns Emerge

Despite claims of enhanced security, the app is already under examination by security professionals. This scrutiny stems from the fact that the application and its underlying code have not undergone any external security audits or testing – a point acknowledged by Dorsey himself.

A warning has been added to Bitchat’s GitHub repository stating that the software hasn’t received external security review. It also notes the potential for vulnerabilities and that the app may not meet its stated security objectives.

Users are advised against using the software for production purposes or relying on its security features until a thorough review has been completed. This disclaimer was not initially present when the app was first released.

Dorsey has indicated that the project is still “work in progress” alongside the warning on GitHub.

Identified Vulnerabilities

Security researcher Alex Radocea discovered a critical flaw allowing for potential impersonation. An attacker could deceive a user’s contacts into believing they are communicating with the intended recipient.

Radocea’s analysis revealed a “broken identity authentication/verification” system within Bitchat. This allows an attacker to intercept a user’s “identity key” and “peer id pair,” disrupting the trusted connection establishment process.

Bitchat designates trusted contacts as “Favorites,” marked with a star icon. This feature aims to ensure users are interacting with previously verified individuals.

Dorsey has not yet responded to a request for comment sent to his Block email address.

GitHub Issue and Further Concerns

Radocea submitted a ticket on the GitHub project to inquire about reporting the discovered security flaw in the Favorites system. Dorsey initially marked the ticket as “completed” without providing a response.

The ticket was later reopened by Dorsey, who indicated that security issues should be reported directly on GitHub.

Concerns were also raised regarding Dorsey’s claim of “forward secrecy” within Bitchat. Forward secrecy is a cryptographic technique that protects past messages even if encryption keys are compromised.

Another user identified a potential buffer overflow bug, a common vulnerability that could allow attackers to compromise a device’s memory.

Researcher's Warning

Radocea cautions users against trusting the app in its current state. He emphasizes the importance of basic security checks, such as verifying the cryptographic functionality of identity keys.

“Security is a great feature to have for going viral. But a basic sanity check, like, do the identity keys actually do any cryptography, would be a very obvious thing to test when building something like this,” Radocea explained.

He further warned that individuals relying on Bitchat’s security assurances could be put at risk.

Radocea argues that the app has effectively undergone external security review, and the initial findings are unfavorable.

“I’d argue it has received external security review, and it’s not looking good,” he stated.