On Sunday, Block CEO and Twitter’s co -founder Jack Dorsey promising to provide “safe” and “private” messages without central infrastructure.
The application is based on Bluetooth encryption and end to end, as opposed to traditional internet -based messaging applications. With the decentralized, Bitchat has the potential to be a safe application in high -risk environments where the internet is monitored or inaccessible. According to Dorsey’s White Bible By operating the Protocols and Privacy Mechanisms of the application, the design of the Bitchat system “prioritizes” safety.
However, allegations that the application is safe, however, is already facing control by security researchers, as its application and code have not been revised or tested on security issues – by Dorsey’s acceptance.
Since the start, Dorsey has added a warning On Bitchat’s GitHub page: “This software has not received an external security review and may contain vulnerabilities and does not necessarily respond to its stated security objectives.
This warning now also appears on the Bitchat GitHub project page, but it wasn’t there when the application debuted.
From Wednesday, Dorsey added: “Work in progress”, next to the GitHub warning.
This latest disclosure came after the security of security researcher, Alex Radocea, found that it was possible to imitate someone else and fool a person’s contacts to believe that they are talking with legal contact, As the researcher explained in a blog post.
Radocea wrote that Bitchat has a “broken identity/verification” system that allows an intruder to monitor one’s “identity key” and “pair of peerings” – essentially a digital handshake that is supposed to create a reliable relationship between two people using the application. Bitchat calls these “favorite” contacts and marks them with a star icon. The purpose of this feature is to allow two bitchat users to interact, knowing that they speak with the same person they spoke before.
Dorsey did not respond to TechCrunch’s request for comments sent to the bloc’s email address.
On Monday, Radocea deposited a ticket for the Github project to ask how to report the security defect it discovered in the favorite Bitchat system. Shortly afterwards, Dorsey noted it as “complete”, without comments. (Dorsey re -opened the ticket Wednesday, saying that security issues can be mentioned directly with the posting on Github.)
Another person referenced Concerns about Dorsey’s allegations that Bitchat has “secrecy forward”, a cryptographic technique that ensures that even if an intruder steals or endangers a key encryption key, the attacker cannot decipher the messages they sent.
Somebody too highlight A possible buffer overflow error, which is a common type of safety vulnerability, where a hacker can force a device to leak to other locations, opening the door to compromise.
Radocea warned that Bitchat users should not trust the application yet.
“Security is an excellent feature we must have to become viral, but a basic logic control, as well as the identity keys to actually do any cryptography, would be a very obvious thing to try when we build this,” Radocea told Techcrunch. “There are people out there who would get the messages around security literally and could rely on it for their safety, so the project in the current situation could endanger them.”
Referring to other people’s findings, Radocea criticized Dorsey’s warning that Bitchat has not been tested for security.
“I would argue that he has received an external security review and does not look good,” he said.
