On Sunday, Block CEO and Twitter co-founder Jack Daisi launched an open source chat app, called Bitch, Promise of To give “safe” and “private” messages without a centralized infrastructure.
The app unlike traditional messaging apps, unlike the traditional messaging apps relying on the Internet, depends on Bluetooth and end-to-end encryption. By being decentralized, the middle has the ability to have a safe app in high -risk environment where the Internet is monitored or inaccessible. Darsi white paper Expanding the protocol and privacy mechanism of the app, the system’s system design “preference safety”.
But it is claimed that the app is safe, however, already facing investigation by security researchers, given that the app and its code have not been reviewed or tested for safety issues – by the admission of Dorsi’s own.
Since launch, Daisi is near A warning pair On the Github page of BITCHAT: “This software has not received external safety reviews and may not necessarily have to meet its declared safety goals. Do not use it for the use of production, and do not rely on its safety until it is reviewed.”
This warning is now visible on the main gathab project page of the middle, but it was not when the app made her debut.
As Wednesday, Daisi couple: “Work in progress,” next to warning on Github.
Security researcher Alex Rodosia found that it was possible to impose someone else and think of someone else’s contacts, thinking that they are talking to legitimate contact, this is possible, it is possible. As the researcher explained in a blog post,
Rodosia wrote that the middleman has a “broken identity authentication/verification” system that allows an attacker to disrupt someone’s “identity key” and “peer ID pair” – essentially a digital handshake is considered to establish a reliable connection between two people using the app. BITCHAT calls these “favorite” contacts and marks them with a star icon. The target of this feature is to allow two bitch users to interact, knowing that they are talking to the person they had spoken earlier.
Daisi did not respond to Techchchan’s request for remarks sent to his block email address.
On Monday, Radosia filed a ticket on the Github project, asking how to report safety defects discovered in the middle of the preferred system. Soon after, Daisi marked it as “complete” without any comment. ,Daisi reopened the ticket On Wednesday, saying that safety issues can be reported by posting directly on Github.)
another person Informed The concern with the claims of Dais is that the middle is a cryptographic technique “forward traffici,” that ensures that even if an attacker steals an encryption key or compromises, the attacker can still not decryp.
Any told A potential buffer overflow bug, which is a common type of safety vulnerability where a hacker can force the device to spread to other places, open the door to the data agreement.
Radosia warned that middle users should not rely on the app yet.
“Security is a great feature for going viral. But examining a basic purity, such as, identity keys actually perform any cryptography, thus would be a very clear thing to test something,” Radosia explained Techcrunch. “There are people who will literally take the message around the security and rely on it for their safety, so the project in its current situation can put them in danger.”
Referring to the findings of themselves and others, Radosia criticized the warrior’s warning that the middle had not been tested for safety.
“I argue that it has received the external security review, and it doesn’t look good,” he said.
