Critical Flaw Discovered in French Government New Secure Messaging App Tchap

latest cyber threats

A Security expert discovered a critical flaw Tchap in the newly launched secure encrypted messaging app by the French government for the communication between government officials.

The main aim of the app was to replace popular messaging apps like Whatsapp and Telegram for government officials. By keeping the data flow through internal servers in the country, prevents foreign intruders from spying on their communications.

Tchap app was launched on April 18, 2019, and is built based on the Riot, an open source instant messaging client based on matrix protocol.

The app was made available on both iOS and Android app stores and can be downloaded by anyone, but only French government employees can access it.

You need to have a French government issued email account such as @gouv.fr or @elysee.fr to sign up and access it.

Now a White hacker Robert Baptiste who goes by the twitter handle Elliot Alderson discovered a critical flaw in the app allowing to anyone to sign up an account in  

The flaw allowed anyone to sign up an account in the Tchap app without government-issued email account and access groups and channels.

In the blog post, the researcher demonstrated how to create an account using a regular email id by exploiting a potential email validation bug in the Tchap android app.

The researcher did a dynamic analysis of the app and discovered they implemented certificate pinning in the app. He disabled it using Frida.

“During the registration process, the app requests a token and depending on your email address it will use the “correct” id_server. All the available servers are defined in the AndroidManifest.xml.”

Tchap

At first, the researcher set  id_server to matrix.agent.elysee.tchap.gouv.fr and in the token request modified the email address to fs0c131y@protonmail.com@elysee.fr, but did not receive any email validation.

In the second attempt, he modified email to fs0c131y@protonmail.com@presidence@elysee.fr and received an email validation from Tchap to his account.

Tchap

The researcher was logged in as Elysée employee and had access to all the public rooms.

Tchap

 

Researcher notified the issue to the Matrix security team, and they quickly fixed the bug. The patch was explicitly released only to the Tchap app.

For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.

You may be interested in reading:Researchers Discovered New Victim of Powerful Triton Malware
Comments

Please rate this content