Serial entrepreneur Jack Dorsey, who cofounded Twitter, Block, and Bluesky, has started yet another new app — and this one's got an embarrassing secret.
As TechCrunch reports, Dorsey's new open source messaging app, Bitchat, is supposed to be decentralized, private, and secure.
There's only one problem: the Bluetooth-based app, by the venture's admission, is probably lacking in that key regard.
"This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals," the Bitchat GitHub reads. "Do not use it for production use, and do not rely on its security whatsoever until it has been reviewed."
That warning, TechCrunch notes, only appeared after the app was launched — and after security researchers were able to spoof other peoples' accounts on Bitchat.
In a recent blog post, coder Alex Radocea explained that he was able to impersonate other users on the app because of its "broken identity authentication/verification" — a "completely avoidable" issue had Bitchat's creators just done a bit more legwork on building out the security protocols.
After discovering that vulnerability, Radocea filed a GitHub ticket asking how to flag the problem, only for Dorsey to mark it as "completed" without responding. A few days later, the former Twitter CEO reopened the ticket and told the security researcher to flag such issues by posting directly onto GitHub, TechCrunch notes.
In the aftermath of that exchange, Radocea is cautioning potential users not to trust Bitchat's security-forward claims just yet — especially given that others have found unique vulnerabilities of their own.
"Security is a great feature to have for going viral," he told TechCrunch. "But a basic sanity check... would be a very obvious thing to test when building something like this."
"There are people out there that would take the messaging around security literally and could rely on it for their safety," Radocea continued, "so the project in its current state could endanger them."
Though Bitchat claims in its new disclaimer that it still lacks external review, Radocea countered that it has — albeit informally.
"I’d argue it has received external security review," he quipped, "and it’s not looking good."
More on app security: People Don't Realize Meta's AI App Is Publicly Blasting Their Humiliating Secrets to the World
Share This Article