«Safe» Bitchat messenger from the creator of Twitter has not passed any security checks

Twitter co-founder and Block head Jack Dorsey previously introduced «private» and «secure» Bitchat, which ironically turned out to be critically vulnerable.

The main feature of the open-source application is decentralization, Bluetooth messaging without Internet access, and end-to-end encryption. Dorsey said Bitchat should be especially useful in places where there is no or limited Internet access — natural disasters, protests, etc. But a few days after the launch, Dorsey himself had to report problems on GitHub.

Security expert Alex Radocha discovered a serious vulnerability: an attacker can easily pretend to be another user in a chat. He showed an example where a fake «Bob» communicates with «Alice», but the Bitchat app does not warn her about the impersonation. The reason — an imperfect system of «Favorites» contacts. An asterisk next to a name does not guarantee authenticity without cryptographic verification.

Also, users found another problem — possible buffer overflows and false statements about «forward secrecy» (this is a function that is supposed to protect old messages if the keys are compromised). He reported the issue on GitHub, but Dorsey initially closed the ticket without a response. Later, the developer wrote: «Work in progress». We now accept reports of such vulnerabilities directly via GitHub.

From a broader perspective, Bitchat is currently just an experimental project. Although it was presented as «private» and «secure» — in fact, it is too early to call it that. Especially if we imagine a situation where the messenger is really used during protests, but the party against which the rally was held hacks the system and misinforms the crowd. Therefore, at the moment, Bitchat raises more questions and poses more risks than it does for its stated goals.

Source: GitHub