Elon Musk’s XChat: how secure is the new messaging app? | Kaspersky official blog
XChat is a new messaging app launched by Elon Musk that claims to offer end-to-end encryption but implements it in a way that raises significant security concerns. Unlike established secure messengers like Signal, XChat stores users' private encryption keys on its servers, protected only by a user-chosen four-digit PIN. This design choice undermines the privacy guarantees of end-to-end encryption, as the service operator could potentially access private keys. The PIN system is weak due to its short length and allowance of up to 20 brute-force attempts, risking unauthorized access or permanent loss of chat history. Additionally, the app's encryption is conditional on users following or interacting with each other, and initial message requests are sent unencrypted. Overall, XChat's security model is less robust than competitors and may not provide the privacy users expect from an end-to-end encrypted messaging service.
AI Analysis
Technical Summary
XChat, Elon Musk's messaging app launched in April 2026 for iOS, claims to use 'Bitcoin-style encryption' and end-to-end encryption but stores users' private keys on its servers within hardware security modules (HSMs). This contrasts with apps like Signal, which keep private keys solely on user devices. XChat protects these server-stored keys with a four-digit PIN, which is vulnerable to brute force due to its short length and the app allowing 20 attempts. The app requires users to follow or have interacted before enabling encrypted chats; otherwise, initial messages are sent unencrypted. Users must create a PIN to decrypt past messages, but the app prompts for this PIN before setup, causing confusion and potential loss of chat history if the PIN is forgotten or reset. Experts criticize this architecture as weakening privacy guarantees and making the app less secure than established encrypted messengers.
Potential Impact
The main impact is the reduced confidentiality of user communications due to private keys being stored on XChat servers rather than exclusively on user devices. This design allows the service operator or an attacker who compromises the servers to potentially access private keys and decrypt user messages. The weak four-digit PIN protecting these keys is susceptible to brute-force attacks, increasing the risk of unauthorized access or permanent loss of encrypted chat history. Additionally, initial message requests sent without encryption expose metadata and message content to interception. These factors collectively undermine the privacy and security assurances typically expected from end-to-end encrypted messaging apps.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid using predictable or easily guessable PINs, such as birth years or common sequences like '1234'. It is critical not to forget the PIN, as losing it results in permanent loss of access to encrypted chat history. Users are advised to store their PIN securely in a password manager rather than in insecure notes. Until improvements or official fixes are released, users requiring strong privacy should consider using established secure messaging apps like Signal or WhatsApp instead of XChat.
Elon Musk’s XChat: how secure is the new messaging app? | Kaspersky official blog
Description
XChat is a new messaging app launched by Elon Musk that claims to offer end-to-end encryption but implements it in a way that raises significant security concerns. Unlike established secure messengers like Signal, XChat stores users' private encryption keys on its servers, protected only by a user-chosen four-digit PIN. This design choice undermines the privacy guarantees of end-to-end encryption, as the service operator could potentially access private keys. The PIN system is weak due to its short length and allowance of up to 20 brute-force attempts, risking unauthorized access or permanent loss of chat history. Additionally, the app's encryption is conditional on users following or interacting with each other, and initial message requests are sent unencrypted. Overall, XChat's security model is less robust than competitors and may not provide the privacy users expect from an end-to-end encrypted messaging service.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
XChat, Elon Musk's messaging app launched in April 2026 for iOS, claims to use 'Bitcoin-style encryption' and end-to-end encryption but stores users' private keys on its servers within hardware security modules (HSMs). This contrasts with apps like Signal, which keep private keys solely on user devices. XChat protects these server-stored keys with a four-digit PIN, which is vulnerable to brute force due to its short length and the app allowing 20 attempts. The app requires users to follow or have interacted before enabling encrypted chats; otherwise, initial messages are sent unencrypted. Users must create a PIN to decrypt past messages, but the app prompts for this PIN before setup, causing confusion and potential loss of chat history if the PIN is forgotten or reset. Experts criticize this architecture as weakening privacy guarantees and making the app less secure than established encrypted messengers.
Potential Impact
The main impact is the reduced confidentiality of user communications due to private keys being stored on XChat servers rather than exclusively on user devices. This design allows the service operator or an attacker who compromises the servers to potentially access private keys and decrypt user messages. The weak four-digit PIN protecting these keys is susceptible to brute-force attacks, increasing the risk of unauthorized access or permanent loss of encrypted chat history. Additionally, initial message requests sent without encryption expose metadata and message content to interception. These factors collectively undermine the privacy and security assurances typically expected from end-to-end encrypted messaging apps.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should avoid using predictable or easily guessable PINs, such as birth years or common sequences like '1234'. It is critical not to forget the PIN, as losing it results in permanent loss of access to encrypted chat history. Users are advised to store their PIN securely in a password manager rather than in insecure notes. Until improvements or official fixes are released, users requiring strong privacy should consider using established secure messaging apps like Signal or WhatsApp instead of XChat.
Technical Details
- Article Source
- {"url":"https://www.kaspersky.com/blog/xchat-privacy-security-risks/55930/","fetched":true,"fetchedAt":"2026-06-05T14:24:08.218Z","wordCount":2052}
Threat ID: 6a22dc08e29bf47b507d58c2
Added to database: 6/5/2026, 2:24:08 PM
Last enriched: 6/5/2026, 2:24:16 PM
Last updated: 6/5/2026, 4:06:45 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.