Jack Dorsey says his ‘secure' new Bitchat app has not been tested for security
The app relies on Bluetooth and end-to-end encryption, unlike traditional messaging apps that rely on the internet. By being decentralized, Bitchat has potential for being a secure app in high-risk environments where the internet is monitored or inaccessible. According to Dorsey's white paper detailing the app's protocols and privacy mechanisms, Bitchat's system design 'prioritizes' security.
But the claims that the app is secure, however, are already facing scrutiny by security researchers, given that the app and its code have not been reviewed or tested for security issues at all — by Dorsey's own admission.
Since launching, Dorsey has added a warning to Bitchat's GitHub page: 'This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed.'
This warning now also appears on Bitchat's main GitHub project page, but was not there at the time the app debuted.
As of Wednesday, Dorsey added: 'Work in progress,' next to the warning on GitHub.
This latest disclaimer came after security researcher Alex Rodocea found that it's possible to impersonate someone else and trick a person's contacts into thinking they are talking to the legitimate contact, as the researcher explained in a blog post.
Rodocea wrote that Bitchat has a 'broken identity authentication/verification' system that allows an attacker to intercept someone's 'identity key' and 'peer id pair' — essentially a digital handshake that is supposed to establish a trusted connection between two people using the app. Bitchat calls these 'Favorite' contacts and marks them with a star icon. The goal of this feature is to allow two Bitchat users to interact, knowing that they are talking to the same person they talked to before.
Dorsey did not respond to TechCrunch's request for comment sent to his Block email address.
On Monday, Radocea filed a ticket on the GitHub project to ask how to report the security flaw he discovered in the Bitchat Favorites system. Soon after, Dorsey marked it as 'completed,' without comment. (Dorsey re-opened the ticket on Wednesday, saying security issues can be reported by posting on GitHub directly.)
Another person reported concerns with Dorsey's claims that Bitchat has 'forward secrecy,' a cryptographic technique that ensures that even if an attacker steals or compromises an encryption key, that attacker still cannot decrypt previously-sent messages.
Someone also pointed out a potential buffer overflow bug, which is a common type of security vulnerability where a hacker can force a device's memory to spill out to other locations, opening the door for a data compromise.
Radocea warned that Bitchat users should not trust the app yet.
'Security is a great feature to have for going viral. But a basic sanity check, like, do the identity keys actually do any cryptography, would be a very obvious thing to test when building something like this,' Radocea told TechCrunch. 'There are people out there that would take the messaging around security literally and could rely on it for their safety, so the project in its current state could endanger them.'
Referring to his and other people's findings, Radocea criticized Dorsey's warning that Bitchat has not been tested for security.
'I'd argue it has received external security review, and it's not looking good,' he said.
Error in retrieving data
Sign in to access your portfolio
Error in retrieving data
Error in retrieving data
Error in retrieving data
Error in retrieving data
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
TechCrunch
41 minutes ago
- TechCrunch
A surveillance vendor was caught exploiting a new SS7 attack to track people's phone locations
Security researchers say they have caught a surveillance company in the Middle East exploiting a new attack capable of tricking phone operators into disclosing a cell subscriber's location. The attack relies on bypassing security protections that carriers have put in place to protect intruders from accessing SS7, or Signaling System 7, a private set of protocols used by the global phone carriers to route subscribers' calls and text messages around the world. SS7 also allows the carriers to request information about which cell tower a subscriber's phone is connected to, typically used for accurately billing customers when they call or text someone from overseas, for example. Researchers at Enea, a cybersecurity company that provides protections for phone carriers, said this week that they have observed the unnamed surveillance vendor exploiting the new bypass attack as far back as late 2024 to obtain the locations of people's phones without their knowledge. Enea VP of Technology Cathal Mc Daid, who co-authored the blog post, told TechCrunch that the company observed the surveillance vendor target 'just a few subscribers' and that the attack did not work against all phone carriers. Mc Daid said that the bypass attack allows the surveillance vendor to locate an individual to the nearest cell tower, which in urban or densely populated areas could be narrowed to a few hundred meters. Enea notified the phone operator it observed the exploit being used in, but declined to name the surveillance vendor, except to note it was based in the Middle East. Mc Daid told TechCrunch that the attack was part of an increasing trend in malicious operators using these kinds of exploits to obtain a person's location, warning that the vendors behind their use 'would not be discovering and using them if they were not successful somewhere.' 'We anticipate that more will be found and used,' Mc Daid said. Surveillance vendors, which can include spyware makers and providers of bulk internet traffic, are private companies that typically work exclusively for government customers to conduct intelligence-gathering operations against individuals. Governments often claim to use spyware and other exploitative technologies against serious criminals, but the tools have also been used to target members of civil society, including journalists and activists. In the past, surveillance vendors have gained access to SS7 by way of a local phone operator, a misused leased 'global title,' or through a government connection. But due to the nature of these attacks happening at the cell network level, there is little that phone subscribers can do to defend against exploitation. Rather, defending against these attacks rests largely on the telecom companies. In recent years, phone companies have installed firewalls and other cybersecurity protections to defend against SS7 attacks, but the patchwork nature of the global cell network means that not all carriers are as protected as others, including in the United States. According to a letter sent to Sen. Ron Wyden's office last year, the U.S. Department of Homeland Security said as far back as 2017 that several countries, notably China, Iran, Israel, and Russia, have used vulnerabilities in SS7 to 'exploit U.S. subscribers.' Saudi Arabia has also been found abusing flaws in SS7 to conduct surveillance of its citizens in the United States.
Yahoo
11 hours ago
- Yahoo
Uber makes multimillion-dollar investment in Lucid and Nuro to build a premium robotaxi service
Uber is investing hundreds of millions of dollars into EV maker Lucid and autonomous vehicle technology startup Nuro in a bid to launch its own premium robotaxi service. Under the deal announced Thursday, Uber will invest $300 million in Lucid and separately buy 'at least' 20,000 of the EV maker's new Gravity SUV over the next six years. Those EVs will be equipped with Nuro's autonomous vehicle system, and the vehicles will be owned and operated by Uber or its third-party fleet partners. Uber plans to launch a robotaxi service in a major U.S. city next year. Production of these modified Lucid Gravity vehicles is expected to begin in late 2026, according to a regulatory filing. Uber is also investing an undisclosed 'multi-hundred-million dollar' amount into Nuro. One source familiar with the agreement said the amount is more than Uber's investment in Lucid. The agreement between the three companies was a year in the making, Nuro co-founder and president Dave Ferguson told TechCrunch. 'I think that's probably a reflection of how meaty it is,' he said, adding that Uber was looking to make a very large commitment to a robotaxi program, and spent time with almost every AV company to find the most suitable partner. 'We were thrilled that, at the end of all that, we were the partner that was chosen,' he said. Ferguson said engineers at Lucid and Nuro have already made progress on the project. The companies have been testing a prototype driverless vehicle on a closed track at Nuro's proving grounds in Las Vegas. Lucid's Gravity SUVs are ideal because the vehicles are already equipped with the kind of hardware redundancies required for a Level 3 automated driving system, Ferguson said. (Level 3 is a designation by the Society of Automobile Engineers that allows the driver to take their eyes off the road and hands off the steering wheel in certain conditions.) The Nuro-equipped Gravity vehicles will be Level 4, which means the vehicle can handle all aspects of driving in certain conditions without human intervention. Still, the added redundancies made it 'almost a delight' as Nuro integrated its self-driving system into the vehicles, Ferguson said. Uber has spent the past two years locking in partnerships with autonomous vehicle technology companies, covering the spectrum of how self-driving systems can be applied to the physical world. The ride-hailing giant has partnered with more than 18 companies globally, across ride-hailing, delivery, and trucking. In this year alone, it has announced deals with Ann Arbor, Michigan-based May Mobility and Volkswagen, as well as Chinese self-driving firms Momenta, WeRide, and Baidu. Uber's most high-profile partnership in the U.S. — and one that is commercially operating today — is with Waymo. The companies offer a 'Waymo on Uber' service in Austin and Atlanta. This deal illustrates just how much money Uber is willing to invest in hopes of tapping into, and even dominating, the burgeoning autonomous vehicle market. The agreement is also validation for Nuro, which has raised more than $2 billion from high-profile investors since it was founded in 2016. The startup initially focused on applying its AV tech to a fleet of low-speed, on-road delivery bots, which it had developed. But the company burned through its cash reserves, and after facing difficult capital markets, conducted multiple rounds of layoffs in 2022 and 2023. Last year, Nuro pivoted its business strategy to focus more on the startup's core autonomous driving technology. It ditched the low-speed delivery model and set out to license its autonomous vehicle technology to automakers and mobility providers, like ride-hail and delivery companies. The decision to only focus on developing and licensing the AV system allowed Nuro to extend its runway from 1.5 years to 3.5 years, the company said at the time. But the company still needed a licensing deal to prove its shift. The Uber agreement, along with several others in the works, according to Ferguson, suggests the pivot is paying off. Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Tom's Guide
12 hours ago
- Tom's Guide
OpenAI's new ChatGPT agent is here — 5 features that change everything
OpenAI just gave ChatGPT a serious upgrade, if you're a Pro user, you've probably already had the opportunity to try ChatGPT Agent. Let's be clear, this is not a new model. ChatGPT Agent is a new capability built on top of existing models (like GPT-4o), allowing them to perform real-world tasks autonomously using a virtual computer. It combines the intelligence of the model with tools like: So think of the ChatGPT Agent as a unified agentic system — a powerful assistant that can act, not just chat. It uses the underlying model to reason, plan, and interact with tools in a way previous versions of ChatGPT couldn't. That means it can now browse the web, fill out forms, run code, edit spreadsheets, generate slideshows and even sync with your real-world apps; all while giving you full control over what it does and when. As a writer, parent and productivity geek, I'm excited by the possibilities. Here are the five features I'm most eager to try first. ChatGPT Agent moves beyond idea generation and straight into action. You can ask it to plan a family vacation, find the best back-to-school deals or create a weeklong meal plan with a corresponding grocery list, and it will actually do it. Get instant access to breaking news, the hottest reviews, great deals and helpful tips. Using its virtual computer, the agent browses websites, clicks buttons, compares products, downloads files and outputs organized, usable results like checklists, slideshows or editable documents. You can watch ChatGPT agent work in real-time or step in anytime if you want to change directions. The ChatGPT agent is smart about how it gathers information. It can use a visual browser to click through websites like a person would, or switch to a lightweight text-based browser for faster tasks that don't require a lot of formatting. It chooses the right tool depending on what you've asked it to do, which means better, more efficient performance for everything from online shopping to research. ChatGPT agent can now connect directly to services like Gmail, Google Drive, and GitHub using 'connectors.' Once you approve access, it can find files, summarize emails, pull calendar availability or use your own content to customize its output. Let's say you want to prep for an upcoming meeting; the agent could find past emails, gather your notes from Google Docs and generate a neat summary with suggested talking points. Importantly, it asks for confirmation before doing anything sensitive and never sees your passwords during login. One of the most powerful updates is the agent's ability to use built-in tools, like a terminal, browser and code execution environment, to complete more technical tasks. It can now analyze large data sets, write and run scripts or generate detailed financial models from scratch. In testing, ChatGPT Agent beat human performance in several benchmark tasks involving spreadsheets like Excel and data analysis. That opens up serious time-saving potential for anyone juggling research-heavy work or repetitive reports. Despite its expanded capabilities, ChatGPT agent never runs wild. It's designed to pause for permission before taking any significant action, like sending emails or submitting forms, and 'watch mode' activates automatically when it's doing something sensitive. You can take over at any time or stop the process entirely, making it feel more like a co-pilot than a self-driving system. Whether you're a busy professional, a parent trying to stay organized or someone who just wants an extra set of (digital) hands, the new ChatGPT agent is probably something you're going to want to check out. It's available now for Pro, Plus, and Team users, with Enterprise access rolling out soon. In other words, there is not a free tier option to try it at the moment. If this is what ChatGPT can do today, the future of AI-powered task automation just got a lot more real, and if you ask me, a lot more useful.
