Bitchat, the new messaging application of Jack Dorsey, can communicate through Bluetooth without the need for an internet connection. This application, which attracts attention with its open source structure and end -to -end encryption, was highlighted with its decentralized work. Dorsey, a technical document emphasizing the safety of the system by publishing a “privacy priority” said the application. Despite all these explanations, security experts began to express their serious concerns.
A note added to the Github page of the application revealed that Bitchat has not yet passed any external security control. According to Dorsey’s own statement, the application is not suitable for safe use in its current form. There was no team that tested the project and it was understood that the basic controls in terms of security were not completed. The warning added to the GitHub page was clearly stated that users should only use the application for testing purposes for now.
Bitchat is based on a system that fails in authentication
The findings shared by Security Researcher Alex Radocea on this situation revealed the weakness of the basic components of the system. Radocea said Bitchat was a great deficit in the authentication mechanism. The digital recognition process through its favorite person system can allow malicious people to communicate with the identity of someone else. This is a vulnerability that directly frustrates the purpose of the application to communicate safely.
Radocea wanted to reach the developers interested in the issue by informing this security problem through Github. However, Dorsey marked the notification as “completed” without any explanation. He then reopened the notification and announced that security issues can be notified directly through Github. This development caused serious question marks in terms of transparency.
In addition to all these, Bitchat’s claim that he presented forward Secrecy was questioned. Advanced confidentiality ensures that the password of past messages cannot be seized in the future. However, some experts said that this feature does not work fully in practice. The fact that such claims were not supported by real cryptographic infrastructures caused concern in the security community.
In addition, another user drew attention to the problem of a possible “buffer overflow”. Such an error may cause the application to be transferred to other users by making the application’s memory leakable. This leads to attackers to provide both application and control over the device. The sharing of the application without testing such basic deficits is a serious problem in terms of the software development process.
Radocea said that security claims were sufficient to be viral, but it is much more important to test whether the application was really safe. He said that people who trust and use in such practices may face real dangers. It is emphasized that Dorbey’s “promising but not tested” application could pose a threat to users in high -risk areas. For this reason, it is not ethical by many experts to present the application to use in this form.