A Security expert discovered a critical flaw Tchap in the newly launched secure encrypted messaging app by the French government for the communication between government officials.
The main aim of the app was to replace popular messaging apps like Whatsapp and Telegram for government officials. By keeping the data flow through internal servers in the country, prevents foreign intruders from spying on their communications.
Tchap app was launched on April 18, 2019, and is built based on the Riot, an open source instant messaging client based on matrix protocol.
The app was made available on both iOS and Android app stores and can be downloaded by anyone, but only French government employees can access it.
You need to have a French government issued email account such as @gouv.fr or @elysee.fr to sign up and access it.
The flaw allowed anyone to sign up an account in the Tchap app without government-issued email account and access groups and channels.
In the blog post, the researcher demonstrated how to create an account using a regular email id by exploiting a potential email validation bug in the Tchap android app.
The researcher did a dynamic analysis of the app and discovered they implemented certificate pinning in the app. He disabled it using Frida.
“During the registration process, the app requests a token and depending on your email address it will use the “correct” id_server. All the available servers are defined in the AndroidManifest.xml.”
At first, the researcher set id_server to matrix.agent.elysee.tchap.gouv.fr and in the token request modified the email address to email@example.com@elysee.fr, but did not receive any email validation.
In the second attempt, he modified email to firstname.lastname@example.org@email@example.com and received an email validation from Tchap to his account.
The researcher was logged in as Elysée employee and had access to all the public rooms.
Researcher notified the issue to the Matrix security team, and they quickly fixed the bug. The patch was explicitly released only to the Tchap app.
You may be interested in reading:Researchers Discovered New Victim of Powerful Triton Malware