Jack Dorsey, CEO of Block and co-founder of Twitter, recently unveiled Bitchat—a Bluetooth-based, decentralized messaging platform aiming to deliver “secure” and “private” communications. However, within days of its release, the app is under scrutiny from security researchers who have flagged critical vulnerabilities.
Though Dorsey noted on GitHub that the app “may contain vulnerabilities” and “does not necessarily meet its stated security goals,” the severity of the issues has raised concerns about the app’s readiness for public use.
In a detailed blog post, cybersecurity researcher Alex Radocea exposed a fundamental flaw in Bitchat’s identity verification process. According to Radocea, a malicious actor could intercept a user’s “identity key” and “peer ID pair” to impersonate them, potentially deceiving other users into thinking they’re communicating with a verified contact. This vulnerability directly undermines the app’s “Favorites” feature, which is intended to help users confirm trusted identities.
Radocea filed a report on GitHub highlighting the bug. The issue was initially marked “completed” by Dorsey, only to be reopened shortly after. Dorsey later clarified that “security issues should be posted directly on GitHub.”
Radocea went on to question Bitchat’s assertion of offering “forward secrecy,” citing a lack of robust cryptographic safeguards. “There are people out there that would take the messaging around security literally… the project in its current state could endanger them,” he warned.
Adding to the list of concerns, another contributor flagged a possible buffer overflow vulnerability, further highlighting gaps in the app’s security architecture. Summing up the current state of Bitchat, Radocea remarked:
“I’d argue it has received external security review, and it’s not looking good.”
While Bitchat is still in early development, the revelations underscore the importance of comprehensive security vetting before promoting privacy-first technologies. The app remains available, but experts urge caution, especially for users who may rely on secure communication for sensitive or high-risk interactions.
