Twitter and Square co-founder Jack Dorsey has released a new open-source chat application, Bitchat. He argues that it will allow for highly secure, private, peer-to-peer messaging that operates without a need for a centralized infrastructure. The app teaches you how to improve your privacy through new practices and communications. It serves particularly well to those living in spaces where one’s internet use is surveilled or censored. Yet, even before it was released, security experts raised serious concerns about its vulnerabilities.
In a white paper outlining Bitchat’s system design, Dorsey emphasizes the app’s commitment to security. Yet he goes on to describe its protocols and privacy mechanisms, which, on their surface, are designed to shield user chats. A singular touch we loved was the “Favorite” contacts star function. This helps users quickly recognize and connect with individuals they’ve interacted with before through the app.
After launching Bitchat, Dorsey closed the project as “done” on GitHub with zero transmittal notes or further explanation. Later he released a clarification. Yet security experts are concerned about its lack of oversight. If released under the terms of the waiver, it would not be an unprecedented move. Use it only for development and testing, not production. Don’t rely on its security until it has been subjected to a rigorous public audit. This deprecation notice serves as an important reminder of the dangers that may await users who unintentionally rely on the safety of the app.
Security researcher Alex Radocea has undertaken a major review of Bitchat’s security measures. He argues that it is not hard to spoof other users, tricking their friends into thinking they’re talking to the real person. Radocea criticized Dorsey’s acknowledgment of the app’s untested security, arguing that basic checks should have been performed to ensure that the identity keys used in the app actually perform cryptographic functions.
Radocea found a brand new security hole in the Bitchat Favorites system. So he immediately filed a ticket on the Marquee project’s GitHub to report it. He expressed other qualms with Dorsey’s assertions. Along with concerns over how the app implemented “forward secrecy,” a cryptographic technique that protects the privacy of past messages even if an attacker were to obtain the encryption key. Radocea sent a similar personal warning to users on Bitchat. He called on them to remain vigilant and distrust the app for the time being due to significant security flaws.
Things quickly escalated when an anonymous person pointed out a possible buffer overflow vulnerability flaw in Bitchat. This widespread and dangerous security vulnerability would be a piece of cake for nefarious actors to exploit. Radocea described Bitchat’s “broken identity authentication/verification” system, which allows attackers to intercept users’ identity keys and peer ID pairs.
As these issues became clear, Dorsey responded by reopening the ticket on Wednesday. He unapologetically communicated that users could and should start reporting security vulnerabilities directly through GitHub’s issue tracker. Upon launch, Bitchat’s primary GitHub repository page did not display an upfront alert about unproven security. This glaring omission calls into question the very transparency and safety of users that this platform is intended to create.
“Security is a great feature to have for going viral. But a basic sanity check, like, do the identity keys actually do any cryptography, would be a very obvious thing to test when building something like this,” – Alex Radocea
Radocea cautioned that some people could take security messages in the wrong direction. Otherwise, they might find themselves turning to it for their physical safety. He noted that the status quo of the project risks putting users at harm who believe their communications are secure.
