Jack Dorsey Says His 'Secure' New Bitchat App Has Not Been Tested For Security (techcrunch.com)
- Reference: 0178323044
- News link: https://it.slashdot.org/story/25/07/10/0117206/jack-dorsey-says-his-secure-new-bitchat-app-has-not-been-tested-for-security
- Source link: https://techcrunch.com/2025/07/09/jack-dorsey-says-his-secure-new-bitchat-app-has-not-been-tested-for-security/
> On Sunday, Block CEO and Twitter co-founder Jack Dorsey [1]launched an open source chat app called Bitchat, promising to deliver "secure" and "private" messaging without a centralized infrastructure. The app relies on Bluetooth and end-to-end encryption, unlike traditional messaging apps that rely on the internet. By being decentralized, Bitchat has potential for being a secure app in high-risk environments where the internet is monitored or inaccessible. According to Dorsey's [2]white paper detailing the app's protocols and privacy mechanisms, Bitchat's system design "prioritizes" security.
>
> But the claims that the app is secure, however, are already facing scrutiny by security researchers, given that the app and its code [3]have not been reviewed or tested for security issues at all -- by Dorsey's own admission. Since launching, Dorsey has [4]added a warning to Bitchat's GitHub page: "This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed." This warning now also appears on Bitchat's main GitHub project page but was not there at the time the app debuted.
>
> As of Wednesday, Dorsey [5]added : "Work in progress," next to the warning on GitHub. This latest disclaimer came after security researcher Alex Radocea found that it's possible to impersonate someone else and trick a person's contacts into thinking they are talking to the legitimate contact, as the researcher explained in a [6]blog post . Radocea wrote that Bitchat has a "broken identity authentication/verification" system that allows an attacker to intercept someone's "identity key" and "peer id pair" -- essentially a digital handshake that is supposed to establish a trusted connection between two people using the app. Bitchat calls these "Favorite" contacts and marks them with a star icon. The goal of this feature is to allow two Bitchat users to interact, knowing that they are talking to the same person they talked to before.
[1] https://mobile.slashdot.org/story/25/07/07/2132201/jack-dorsey-launches-a-whatsapp-messaging-rival-built-on-bluetooth
[2] https://github.com/jackjackbits/bitchat/blob/main/WHITEPAPER.md#encryption-and-security
[3] https://techcrunch.com/2025/07/09/jack-dorsey-says-his-secure-new-bitchat-app-has-not-been-tested-for-security/
[4] https://github.com/jackjackbits/bitchat/commit/d296f1d6a4ff8ee60c5c15d19e9178a244cf3e5c
[5] https://github.com/jackjackbits/bitchat/commit/ad3afab943efac33505e247e5567a17e5d4c6b90#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5L5
[6] https://www.supernetworks.org/pages/blog/agentic-insecurity-vibes-on-bitchat
Secure (Score:2)
It's 'Trust me Bro' secure. Maybe.
Important omission. (Score:2)
It only runs on Apple stuff.
Re: (Score:2)
Technically Apple is the only app created, but the protocol is open and anyone can make a client for anything else with it.
Techbro says "Launch now, fix later" (Score:2, Insightful)
Instead of piles of warnings that most people won't read and fewer will truly understand the real world implications of he could have just released it as a beta but nooooooo gotta push shit code and fuck the users. Or he could have actually had it tested. As if he can't afford it.
That sort of bullshit might be acceptable for games or other trivia but for an app where the only big claim is security?
Jack, get off the net. You have enough money. You're making the world a worse place.
mod parent up (Score:2)
Parent post deserves more respect, it's insightful.
But as long as there are no legal consequences for software that has faults, whether security faults or functional faults, this approach of "throw shit out there, and disclaim responsibility for it" will continue.
Re: (Score:3)
> Instead of piles of warnings that most people won't read and fewer will truly understand the real world implications of he could have just released it as a beta but nooooooo gotta push shit code and fuck the users. Or he could have actually had it tested. As if he can't afford it.
> That sort of bullshit might be acceptable for games or other trivia but for an app where the only big claim is security?
> Jack, get off the net. You have enough money. You're making the world a worse place.
Honestly, this is tech-bro culture through and through. Beta level software, sometimes alpha level software, is released to the public as complete, and all real testing happens in the wild. Bug reports are only dealt with if the creator feels like it.
Re: (Score:2)
You could send JD a Bich message about this.
Oh, that pesky security (Score:2)
Devs love to stick to the application part. Security? just gets in the way.
We'll just throw it over the wall to the dummies in ... whatever department that is... don't care, I got my job done.
Expectations (Score:2)
In the launch, just a few days ago, he called this "a personal experiment". Given that, it seems to be a bit churlish to be beating the guy up over a few rough edges. It's clearly a long way from finished, considering the not-yet-implemented features he talked about, and so yeah, there's some bugs too. Give the guy a break.
"It's secure because I said so." (Score:3)
The first rule of security is usually "don't make your own". In other words, use existing, tested, verified, trusted code, protocols, and processes. Now if your INTENT is to roll your own, you really do need a lot of peer review. Even if you have a Ph.D in cyber-security and secure coding, you really still need others to take a look at it to see if you missed something. Because EVERYBODY misses something. The attack surface is just too broad to catch every subtle thing on the first run though.
And if some 3rd party hops in and IMMEDIATELY finds a hole (without the benefit of the source to look through) it's virtually guaranteed to have a lot more holes in it just waiting to be zero-day'd.
Lying replaces actual quality... (Score:2)
That pretty much has become the new normal. Instead of delivering quality and the features they promise, these assholes now simply lie about it and claim to have features in their products that are not actually there. It is high time for liability. And a direct lie like this one should come with personal criminal consequences for the c-levels.
Haven't you done enough damage, Jack? (Score:2)
n/t
secure (Score:2)
Typo. He meant "sinecure."
Bluetooth? (Score:2)
Where do I sign up for worldwide Bluetooth network? Does it run in parallel with the internet?
Bitchchat? (Score:3)
Me and my dirty mind: that's what I thought it was called.
Re:Bitchchat? (Score:5, Funny)
Yea it's not Bitchchat, it's Bitch@
Re: (Score:2)
Where da bitch at?
Re: (Score:1)
That is exactly how I read it! NEVER would have thought Bit Chat. I can't imagine what the app launch icon will look like.
Re: (Score:3)
I really feel there is a BitchCoin angle on this, but I just haven't drunk enough coffee yet.
BitchX? (Score:1)
You folks remember BitchX?
They spent like a decade to patch a RCE so this will probably be a spiritual successor.
Re: (Score:2)
I saw BitchAt. It could be a new, novel way to bitch at somebody you're pissed off at.