XChat's Encrypted Feature On Platform X Still Not Safe

The XChat feature on X is not yet guaranteed security (photo: dock. unsplash)

JAKARTA X, formerly known as Twitter, recently released an encrypted messaging feature called XChat. Even though it is claimed to be encrypted, this feature is proven to be still unsafe and cannot be fully trusted.

End-to-end message encryption should keep users' messages safe and inaccessible to anyone. However, research results from cryptography experts show that the implementation of this encryption is much worse than the Signal app.

Launching from TechCrunch, experts highlight a number of weaknesses that are considered critical and make message confidentiality more vulnerable to exposure. One of these weaknesses is the user's personal key storage.

X asks users to create a four-digit PIN to encrypt personal keys, which are then stored on the X server. This is different from Signal, which stores private keys on the user's device.

According to Security Researcher MatthewGerman, if X does not use the Hardware Security Module (HSM), the company could manipulate the key. Because the PIN is only four digits, this key has the potential to be accessed by force.

Until now, X has not provided evidence of using HSM. Another fatal weakness is taken from the statement X, namely 'insiders who intend to be malicious or X himself' can endanger the conversation. This triggers potential adversary-in-the-middle (AITM) attacks.

This means that third parties can peek at the conversation.GERy added that X could create a new key every time there is communication. This makes users unable to confirm whether their encryption is really safe from X.

Finally, XChat does not have a perfect forward security feature, which is a mechanism to encrypt each message with a different key. If the user's personal key is successfully broken, all old messages can be decrypted. X has also acknowledged this shortfall.