Jack Dorsey says his ‘secure' new Bitchat app has not been tested for security
The app relies on Bluetooth and end-to-end encryption, unlike traditional messaging apps that rely on the internet. By being decentralized, Bitchat has potential for being a secure app in high-risk environments where the internet is monitored or inaccessible. According to Dorsey's white paper detailing the app's protocols and privacy mechanisms, Bitchat's system design 'prioritizes' security.
But the claims that the app is secure, however, are already facing scrutiny by security researchers, given that the app and its code have not been reviewed or tested for security issues at all — by Dorsey's own admission.
Since launching, Dorsey has added a warning to Bitchat's GitHub page: 'This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed.'
This warning now also appears on Bitchat's main GitHub project page, but was not there at the time the app debuted.
As of Wednesday, Dorsey added: 'Work in progress,' next to the warning on GitHub.
This latest disclaimer came after security researcher Alex Rodocea found that it's possible to impersonate someone else and trick a person's contacts into thinking they are talking to the legitimate contact, as the researcher explained in a blog post.
Techcrunch event
Save up to $475 on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections.
Save $450 on your TechCrunch All Stage pass Build smarter. Scale faster. Connect deeper. Join visionaries from Precursor Ventures, NEA, Index Ventures, Underscore VC, and beyond for a day packed with strategies, workshops, and meaningful connections.
Boston, MA
| REGISTER NOW
Rodocea wrote that Bitchat has a 'broken identity authentication/verification' system that allows an attacker to intercept someone's 'identity key' and 'peer id pair' — essentially a digital handshake that is supposed to establish a trusted connection between two people using the app. Bitchat calls these 'Favorite' contacts and marks them with a star icon. The goal of this feature is to allow two Bitchat users to interact, knowing that they are talking to the same person they talked to before.
Dorsey did not respond to TechCrunch's request for comment sent to his Block email address.
A screenshot showing an example of a chat where an attacker has impersonated 'Bob' in a chat with 'Alice,' which Bitchat made it seem like it was really coming from Bob. (Image: Alex Rodocea)
On Monday, Radocea filed a ticket on the GitHub project to ask how to report the security flaw he discovered in the Bitchat Favorites system. Soon after, Dorsey marked it as 'completed,' without comment. (Dorsey re-opened the ticket on Wednesday, saying security issues can be reported by posting on GitHub directly.)
Another person reported concerns with Dorsey's claims that Bitchat has 'forward secrecy,' a cryptographic technique that ensures that even if an attacker steals or compromises an encryption key, that attacker still cannot decrypt previously-sent messages.
Someone also pointed out a potential buffer overflow bug, which is a common type of security vulnerability where a hacker can force a device's memory to spill out to other locations, opening the door for a data compromise.
Radocea warned that Bitchat users should not trust the app yet.
'Security is a great feature to have for going viral. But a basic sanity check, like, do the identity keys actually do any cryptography, would be a very obvious thing to test when building something like this,' Radocea told TechCrunch. 'There are people out there that would take the messaging around security literally and could rely on it for their safety, so the project in its current state could endanger them.'
Referring to his and other people's findings, Radocea criticized Dorsey's warning that Bitchat has not been tested for security.
'I'd argue it has received external security review, and it's not looking good,' he said.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
TechCrunch
2 hours ago
- TechCrunch
Jack Dorsey's Bluetooth messaging app Bitchat now on App Store
Bitchat, a messaging app created by Twitter and Block founder Jack Dorsey, is available to download from the iOS App Store. Dorsey says he coded the basis of the app over the course of a weekend in early July. Bitchat operates through Bluetooth mesh networks, which means that users can send messages to others within the range of Bluetooth connectivity — usually around 100 meters — without cell reception or a Wi-Fi connection. The app's UX is very minimal. There is no log-in system, and you're immediately brought to an instant messaging box, where you can see what nearby users are saying (if anyone is actually around you and using the app) and set your display name, which can be changed at any time. While Bitchat is sparking interest due to Dorsey's reputation, the concept of Bluetooth-powered messaging apps is not new. These apps are also popular in settings like large music festivals, where cell service may be limited, or in the aftermath of natural disasters, where cell service and Wi-Fi availability may be impacted. The Bluetooth messaging app Bridgefy was notably used during pro-democracy protests in Hong Kong, since its ability to function without the internet made it harder for authorities to detect. Dorsey advertised Bitchat as a secure, private messaging platform when it went live for beta use earlier this month. But security researcher Alex Radocea pointed out in a blog post that it's easy to impersonate other people within Bitchat, calling into question how secure the 'vibe-coded' app really is. 'In cryptography, details matter,' Radocea wrote. 'A protocol that has the right vibes can have fundamental substance flaws that compromise everything it claims to protect.' Dorsey later admitted that the software had not been subject to an external security review and thus may contain vulnerabilities. Bitchat's concerns around impersonation also extend to the app itself. As of now, the app can be downloaded for iOS via the App Store, or it can be loaded onto an Android device by downloading the app from GitHub. However, the Google Play store hosts multiple apps that appear to be pretending to be Dorsey's app, which have garnered thousands of downloads. Dorsey has not directly addressed the fake Bitchat apps on the Google Play store, but he did repost another user's X post that said that Bitchat is not yet on Google Play, and to 'beware of fakes.'
Yahoo
3 hours ago
- Yahoo
PagerDuty (PD) Climbs 7% on Analyst Upgrade, Sale Reports
We recently published . PagerDuty, Inc. (NYSE:PD) is one of the best-performing stocks on Monday. PagerDuty rallied for a second day on Monday, adding 7.06 percent to close at $16.83 apiece as investors took heart from an analyst upgrade and news that it was exploring a sale. In its market note, investment firm TD Cowen raised its price target and recommendation for PagerDuty, Inc. (NYSE:PD) to $22 from $17 and to 'buy' from 'hold' previously. This followed a report by Reuters on Friday, quoting sources privy to the matter, that PagerDuty, Inc. (NYSE:PD) was exploring a potential sale after receiving interest from buyers. Reuters said PagerDuty, Inc. (NYSE:PD) is currently working with Qatalyst Partners to facilitate the potential acquisition, and that investment bankers are now soliciting further buyer interest. Copyright: stokkete / 123RF Stock Photo According to TD Cowen, Qatalyst Partners has a strong track record of facilitating software mergers and acquisitions, adding that many of its facilitated transactions resulted in sales over the years. PagerDuty, Inc. (NYSE:PD) is a California-based software maker that helps businesses monitor their IT systems and respond to cyber incidents and outages. While we acknowledge the potential of PD as an investment, our conviction lies in the belief that some AI stocks hold greater promise for delivering higher returns and have limited downside risk. If you are looking for an extremely cheap AI stock that is also a major beneficiary of Trump tariffs and onshoring, see our free report on the . Sign in to access your portfolio
Fast Company
3 hours ago
- Fast Company
Figma's IPO date is close. The stock could trade even higher after the design startup's latest move
Collaborative design software company Figma has increased the price target for its highly anticipated initial public offering (IPO). Shares are now expected to be priced between $30 and $32 each, up from the previously disclosed price target range of $25 and $28 each. The cloud-based interface design tool is aiming for a valuation of around $18.8 billion, dramatically higher than last week's projection but still below the $20 billion that Adobe had planned to pay for the company a few years ago. Figma disclosed the expected price target increase on Monday in an amended registration statement with the Securities and Exchange Commission (SEC). The San Francisco-based company confidentially filed an initial S-1 form with the SEC in April. On July 1, Figma announced its registration statement was available to the public. IPO market is heating up this year Figma will trade on the New York Stock Exchange (NYSE) under the ticker 'FIG.' The listing, reportedly expected this week, could be among the year's biggest. It comes as the market for tech-focused offerings has been roaring back to life. Circle Internet Group, Chime Financial, and Hinge Health are among the buzzy tech startups that have gone public this year. In addition to Figma, space tech company Firefly Aerospace is also expected to IPO soon. In September 2022, Adobe (NYSE: ADBE) had announced plans to buy Figma for $20 billion in cash and stock. But the merger was scrapped due to antitrust concerns raised by European and U.K. regulators. In December 2023, both companies announced that they had mutually agreed to terminate their merger agreement. Adobe paid Figma a $1 billion termination fee. In its SEC paperwork, Figma reported $228.2 million in revenue for the first three months of 2025. The company reported $749 million in revenue in 2024, an increase of 48% year-over-year. The design software maker has 13 million monthly active users.
