Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
Security Social Networks Wireless Networking

Jack Dorsey Says His 'Secure' New Bitchat App Has Not Been Tested For Security (techcrunch.com) 37

Posted by BeauHD from the work-in-progress dept.
An anonymous reader quotes a report from TechCrunch: On Sunday, Block CEO and Twitter co-founder Jack Dorsey launched an open source chat app called Bitchat, promising to deliver "secure" and "private" messaging without a centralized infrastructure. The app relies on Bluetooth and end-to-end encryption, unlike traditional messaging apps that rely on the internet. By being decentralized, Bitchat has potential for being a secure app in high-risk environments where the internet is monitored or inaccessible. According to Dorsey's white paper detailing the app's protocols and privacy mechanisms, Bitchat's system design "prioritizes" security.

But the claims that the app is secure, however, are already facing scrutiny by security researchers, given that the app and its code have not been reviewed or tested for security issues at all -- by Dorsey's own admission. Since launching, Dorsey has added a warning to Bitchat's GitHub page: "This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed." This warning now also appears on Bitchat's main GitHub project page but was not there at the time the app debuted.

As of Wednesday, Dorsey added: "Work in progress," next to the warning on GitHub. This latest disclaimer came after security researcher Alex Radocea found that it's possible to impersonate someone else and trick a person's contacts into thinking they are talking to the legitimate contact, as the researcher explained in a blog post. Radocea wrote that Bitchat has a "broken identity authentication/verification" system that allows an attacker to intercept someone's "identity key" and "peer id pair" -- essentially a digital handshake that is supposed to establish a trusted connection between two people using the app. Bitchat calls these "Favorite" contacts and marks them with a star icon. The goal of this feature is to allow two Bitchat users to interact, knowing that they are talking to the same person they talked to before.

Jack Dorsey Says His 'Secure' New Bitchat App Has Not Been Tested For Security More | Reply

Jack Dorsey Says His 'Secure' New Bitchat App Has Not Been Tested For Security

Comments Filter:

  • Bitchchat? (Score:3)

    by RUs1729 ( 10049396 ) on Thursday July 10, 2025 @09:08AM (#65509564)
    Me and my dirty mind: that's what I thought it was called.

  • It's 'Trust me Bro' secure. Maybe.

  • It only runs on Apple stuff.
    • Technically Apple is the only app created, but the protocol is open and anyone can make a client for anything else with it.

  • Instead of piles of warnings that most people won't read and fewer will truly understand the real world implications of he could have just released it as a beta but nooooooo gotta push shit code and fuck the users. Or he could have actually had it tested. As if he can't afford it.

    That sort of bullshit might be acceptable for games or other trivia but for an app where the only big claim is security?

    Jack, get off the net. You have enough money. You're making the world a worse place.

    • Parent post deserves more respect, it's insightful.

      But as long as there are no legal consequences for software that has faults, whether security faults or functional faults, this approach of "throw shit out there, and disclaim responsibility for it" will continue.

      • Re: (Score:1)

        by Anonymous Coward

        the author gets the respect they earn and the post is not nearly insightful enough to overcome that burden, if anything it's a rather pedestrian take for /., there will be 12 other people saying the same exact thing

    • Instead of piles of warnings that most people won't read and fewer will truly understand the real world implications of he could have just released it as a beta but nooooooo gotta push shit code and fuck the users. Or he could have actually had it tested. As if he can't afford it.

      That sort of bullshit might be acceptable for games or other trivia but for an app where the only big claim is security?

      Jack, get off the net. You have enough money. You're making the world a worse place.

      Honestly, this is tech-bro culture through and through. Beta level software, sometimes alpha level software, is released to the public as complete, and all real testing happens in the wild. Bug reports are only dealt with if the creator feels like it.

    • Re: (Score:2)

      by Gilmoure ( 18428 )

      You could send JD a Bich message about this.

  • Devs love to stick to the application part. Security? just gets in the way.
    We'll just throw it over the wall to the dummies in ... whatever department that is... don't care, I got my job done.

  • In the launch, just a few days ago, he called this "a personal experiment". Given that, it seems to be a bit churlish to be beating the guy up over a few rough edges. It's clearly a long way from finished, considering the not-yet-implemented features he talked about, and so yeah, there's some bugs too. Give the guy a break.

  • "It's secure because I said so." (Score:3)

    by v1 ( 525388 ) on Thursday July 10, 2025 @10:41AM (#65509838) Homepage Journal

    The first rule of security is usually "don't make your own". In other words, use existing, tested, verified, trusted code, protocols, and processes. Now if your INTENT is to roll your own, you really do need a lot of peer review. Even if you have a Ph.D in cyber-security and secure coding, you really still need others to take a look at it to see if you missed something. Because EVERYBODY misses something. The attack surface is just too broad to catch every subtle thing on the first run though.

    And if some 3rd party hops in and IMMEDIATELY finds a hole (without the benefit of the source to look through) it's virtually guaranteed to have a lot more holes in it just waiting to be zero-day'd.

  • That pretty much has become the new normal. Instead of delivering quality and the features they promise, these assholes now simply lie about it and claim to have features in their products that are not actually there. It is high time for liability. And a direct lie like this one should come with personal criminal consequences for the c-levels.

  • Typo. He meant "sinecure."

  • Where do I sign up for worldwide Bluetooth network? Does it run in parallel with the internet?

    • Re: (Score:1)

      by wed128 ( 722152 )
      I would imagine it's asyncronous, and passed along by proximity (much like the old nintendo streetpass protocol). It's a cool idea, but it'll only work in dense areas. And yes, that means it's parallel with the internet.

  • Looks cool from the whitepaper. Jack has always been into distributed/mesh network apps. I'd be interested to see how well it works considering the lack of networking peers. If, say Apple does a low-power bluetooth mesh network, it probably works pretty well because the peers are all over the place.

  • Nothing to see here, no more testing to do!

  • A really good developer did a weekend project and came up with a working prototype of a knockoff/alternative to Briar and/or Meshtastic. (Briar can use BT, too, IIRC) That's greeat and he may have been 10x faster than any other dev I know, but so far it's just that: an interesting work in progress. He hasn't opened a new company selling selling crypto snakeoil.

    This is interesting. Not more, not less.

Slashdot Top Deals

I go on working for the same reason a hen goes on laying eggs. -- H.L. Mencken

Close