X’s New Encrypted Chat Has Major Security Flaws Experts Warn

Cryptography experts are warning that X’s current implementation of encryption should not be trusted.

While the platform claims to offer end-to-end encrypted messaging through its new XChat feature, the technical details reveal significant gaps that make it far less secure than established alternatives. What we are seeing is encryption theater; the marketing sounds impressive, but the implementation falls well short of real security.

What X’s encryption actually promises (and what it doesn’t)

X’s encrypted messaging feature comes with limitations that set it apart from truly secure options. Both the sender and recipient need to be paying X users for encrypted messaging to work. That leaves out journalists, activists, and everyday users who might need it most.

Even more concerning, X’s encrypted messaging only applies to text, media like videos or pictures are not encrypted. Picture this: you send an encrypted note that says “here’s that sensitive document,” but the attachment sits unprotected on X’s servers, visible to anyone with access. For people sharing evidence, legal documents, or sensitive photos, that is a huge blind spot.

The platform also admits that the metadata of each encrypted message is not encrypted. Metadata reveals who is talking to whom and when. For a source texting a journalist or an organizer planning a protest, those patterns alone can be risky.

The technical problems that should worry you

The details point to fundamental flaws that more mature systems solved years ago. The current implementation could allow “a malicious insider or X itself” to compromise conversations with an adversary in the middle attack. In plain language, X could hand you fake encryption keys and you would have no easy way to notice.

Most critically, X does not offer “Perfect Forward Secrecy”. PFS rotates keys so each message has a fresh lock. Without it, if an attacker compromises the user’s private key, they can decrypt all messages, not just the latest ones.

Key management makes things worse. X asks users to set a four-digit PIN to protect private keys, then stores those keys on X’s servers. Without proper Hardware Security Modules, specialized servers that make it extremely hard even for the owner to access the data inside, this is a big target. An X engineer said they use these modules, but neither he nor the company has provided proof, so users are asked to take it on faith.

How this compares to the gold standard

Line up X’s approach next to the best in class and the gap is obvious. The current gold standard of security protocols for messaging systems is the Signal Protocol, an open source model vetted by researchers around the world.

The Signal Protocol uses AES-256, HMAC-SHA256 and Curve25519 as its cryptographic primitives. AES-256 encrypts messages, HMAC-SHA256 checks integrity and authenticity, Curve25519 handles secure key exchange. Together, this protocol is currently considered cryptographically sound and provides excellent information security.

In stark contrast, none of XChat’s implementation is open source. Signal publishes detailed documentation and code. X does not. No independent review means users are asked to trust without verification.

Why transparency matters for trust

Opacity is not a small nitpick, it is the core issue. X says it aims to “open source our implementation and describe the encryption technology in depth through a technical whitepaper later this year.” That is a promise about tomorrow. People need security today.

Companies should be transparent about the encryption methods and algorithms they use, especially when they claim end-to-end encryption. History is full of systems that looked strong until experts took a proper look. Real security is built in the open, where it can survive public scrutiny.

Matthew Green, a cryptography expert who teaches at Johns Hopkins University told TechCrunch that without auditing, these systems should not be trusted with sensitive conversations. That view tracks with lessons learned from Zoom’s early “end-to-end” claims and other platforms that overpromised and underdelivered.

What you should use instead

If you need truly secure messaging, use tools with proven track records. Signal is recommended as the most trusted option for secure messaging with end-to-end encryption. Signal is free, open source, and widely used by investigative journalists, cybersecurity experts, activists, and government officials.

WhatsApp implemented full end-to-end encryption via the Signal Protocol in 2016, so it is another viable option. Know the tradeoff though. WhatsApp employs end-to-end encryption, but its metadata is unencrypted and stored by Meta. Your messages stay private, your communication patterns do not.

These platforms earned trust through independent audits and performance under pressure. Signal in particular has shown its commitment by providing minimal data in law enforcement requests, often only confirming account creation dates because that is all it can access.

The bigger picture: Why this matters now

The launch of X’s encrypted messaging feature fits a larger pattern. People want privacy, platforms rush to meet that demand, quality varies. End-to-end encryption is the most secure way to encrypt messages between two devices and ensures that the service carrying the message is unable to view it. Done right, even a server breach or government demand will not reveal your messages.

Yet many social media companies are still using less secure protocols underpinned by weaker primitives. That creates a dangerous mismatch between user expectations and actual protection. Some services deliver real end-to-end encryption, some rely on server side encryption they can read, others barely go beyond transport layer security.

X’s approach appears vulnerable to outsiders and, in some scenarios, to the platform itself or insiders. For the moment, until it gets a full audit by someone reputable, treat X’s encrypted messaging with the same caution you would unencrypted chat. That stance protects users and nudges platforms to build security that is real, not just for show.

The hopeful part, more platforms now recognize that privacy is non-negotiable. The practical takeaway, your sensitive conversations deserve tools with proven, audited encryption, not experimental systems with known gaps.