- Twitter announced its new encrypted DMs feature last week.
- Elon Musk and the company both warned that it wasn't fully secure yet so shouldn't be trusted.
A Twitter engineer leading the platform's new encrypted messaging feature for paid users appeared to falsely claim that it had been audited by a top cybersecurity firm, Platformer reported.
When Twitter released the feature last week, it came with several disclaimers that it wasn't yet fully secure.
"The acid test is that I could not see your DMs even if there was a gun to my head," Elon Musk wrote on Twitter – adding that the company wasn't quite at that level. "Try it, but don't trust it yet," he later said.
The idea is that by having DMs encrypted, text can only be read by participants of that conversation – as is the case on platforms such as WhatsApp.
Twitter said in a blog post that this new feature could be vulnerable to "man-in-the-middle attacks" which would let "a malicious insider, or Twitter itself as a result of a compulsory legal process" access users' DMs.
According to Platformer, Christopher Stanley – a former SpaceX staffer who now runs Twitter's security engineering and the encrypted DMs project – said that this new feature had been audited by a cybersecurity firm called Trail of Bits in a now-deleted tweet.
"A white paper will be published soon," Stanley reportedly Tweeted. "I had [cybersecurity firm] Trail of Bits audit our implementation. Dan Guido and those folks are badass" – referring to its CEO who has also advised the Commodity Futures Trading Committee.
But Twitter hadn't even signed a contract with the firm yet, unnamed company sources told Platformer.
According to the tech newsletter, that's because Twitter keeps laying off the procurement staff who would handle such deals.
Since Musk took over the company last October, Twitter's workforce has fallen roughly 90% to around 1,000 employees, Insider's Kali Hays reported. These layoffs have caused at least one major outage on Twitter.
Insider contacted Twitter for comment. The company responded with an automated message that didn't address the inquiry.
Trail of Bits did not immediately respond to Insider's request for comment which was sent outside US working hours.