Security Experts Slam X's New Encrypted Chat Over Key Storage Flaws

X, formerly Twitter, has introduced XChat, a standalone messaging app featuring end-to-end encrypted direct messages and topic feed filters. Users set up encryption by creating a four-digit PIN, which protects their private keys stored on X's servers using a system called Juicebox. This sharding approach spreads key material across three servers, but experts highlight significant risks since X controls all of them.

Cryptography specialists, including those from Cryptography Engineering, criticize the lack of forward secrecy and reliance on long-term public keys without continuous updates like Signal's double-ratchet mechanism. Private keys on X's servers—potentially without robust Hardware Security Modules (HSMs)—could allow X to access and decrypt messages, either for internal reasons or under legal pressure. Timing analysis suggests software-based HSMs, making brute-force attacks on weak PINs feasible.

This matters as X positions itself against secure messengers like Signal and WhatsApp, which store keys on-device. Critics argue XChat sacrifices privacy for multi-device support, including web browsers, eroding user trust amid Elon Musk's mixed privacy track record. Discussions on privacy forums echo skepticism, warning that proprietary cryptography lacks auditability.

Looking ahead, X must prove HSM usage and key ceremony transparency to build confidence. Until then, experts advise against using XChat for sensitive communications, urging users to prioritize proven E2EE apps.