Sunday, CEO of Block and Twitter co -founder Jack Dorsey launched an open source chat called bitchat,, promising deliver “safe” and “private” message without centralized infrastructure.
The app depends on Bluetooth and end-to-end encryption, unlike traditional message programs that depend on the Internet. Being decentralized, BitChat has potential to be a safe app in high risk environments, where the internet is controlled or unavailable. According to Dorsey White paper Detailing the app’s protocols and privacy mechanisms, the “priority” security of Bitchat “priorities”.
But the claims that the app is safe, however, is in front of scrutiny by security researchers, considering that the app and its code have not been revised or tested for security problems at all – with Dorsey’s own acknowledgment.
Since launch, Dorsey has added a warning To the GitHub page of Bitchat: “This software has not received an external security review and may contain vulnerabilities and does not necessarily meet its declared security goals. Do not use it for production -use and do not trust its security until it is reviewed.”
This warning now also appears on the main page of GitHub project of Bitchat, but was not there at the time the app debuted.
Wednesday, Dorsey Added: “Work in Progress”, next to GitHub’s warning.
This latest rejection came after a security researcher Alex Rodocea has found that it is possible to replace someone else and deceive a man’s contacts thinking they are talking to the legitimate contact, As the researcher explained in a blog.
Rodocea wrote that Bitchat has a “broken identity authentic/control” system that allows an attacker to intercept the “identity key” of someone “and” Peer ID pair ” – essentially a digital hand, which is supposed to set a reliable relationship between two people using the application. -Users interact, knowing that they were talking to the same person they talked to before.
Dorsey did not respond to Techcrunch’s request for a comment sent to his block email address.
On Monday, Radocea presented a ticket in the GitHub project to ask how to report on the security damage he discovered in the Bitchat Favorites system. Shortly thereafter, Dorsey marked it as “completed” without comment. (Dorsey reopened the ticket Wednesday, saying that security problems can be reported posting on GitHub directly.)
Another person Reported Caring for Dorsey’s claims that Bitchat has “forward secrecy”, a cryptographic technique that ensures that even if an attacker steals or compromises an encryption key that an attacker cannot yet decipher previously sent messages.
Someone too Showed Possible buffer superfluous bug, which is a common type of security vulnerability, where hacker can force the memory of a device to pour into other places, opening the door for a data settlement.
Radocea has warned that bitchat users still should not trust the application.
“Security is a great feature to go viral. But basic healing control, as, the identity keys actually make any cryptography, would be a very obvious thing to test while building something like that,” Radocea told Techcrunch. “There are people out there who would take the messages about security literally and could trust it for their security, so the project in its current state could endanger them.”
As for his and other people’s findings, Radocea criticized Dorsey’s warning that Bitchat was not tested for security.
“I would argue that it received an external security review, and it doesn’t look good,” he said.
