Jack Dorsey says his ‘secure’ new Bitchat app has not been tested for security

Block CEO and Twitter co-founder Jack Dorsey recently launched Bitchat, a decentralized messaging app that uses Bluetooth and end-to-end encryption, aiming to provide secure communication in environments where internet access is restricted or monitored. Dorsey emphasized that Bitchat’s design prioritizes security, but he has openly admitted that the app has not undergone any external security reviews or testing. A disclaimer was added to Bitchat’s GitHub page warning users not to rely on the app’s security or use it for production until it has been properly vetted. Security researchers quickly identified significant vulnerabilities in Bitchat. Notably, Alex Rodocea discovered a critical flaw in the app’s identity authentication system, allowing attackers to impersonate contacts by intercepting digital identity keys, undermining the app’s core security feature of verifying trusted contacts (“Favorites”). Additionally, another potential buffer overflow vulnerability was reported, which could lead to data compromises. Rodocea cautioned that users should not trust Bitchat’s security