A white-hat hacker found a way to get into the French government’s newly launched, secure encrypted messaging app that was otherwise can only be accessed by officials and politicians with email accounts associated with the government identities.
Dubbed “Tchap,” the end-to-end encrypted, open source messaging app has been created by the French government with an aim to keep their officials, parliamentarians and ministers data on servers inside the country over concerns that foreign agencies could use other services to spy on their communications.
The Tchap app is built using the Riot client, an open source instant messaging software that implements self-hostable Matrix protocol for end-to-end encrypted communication.
Yes, it’s the same “Riot and Matrix” that was in the news earlier this week after an unknown hacker breaks into its servers and successfully stole unencrypted private messages, password hashes, access tokens, and GPG keys the project maintainers used for signing packages.
The cyber attack on Matrix was so serious that it eventually forced its maintainers to shut down the entire production infrastructure of the service for several hours and log all users out of Matrix.org.
Though the Tchap app is available on Google Play Store and can be downloaded by anyone, users who have a government-issued email account, for example, @gouv.fr or @elysee.fr, are the only one who can sign-up and access it.
However, Robert Baptiste, a French security researcher who is better known by his Twitter username Elliot Alderson, found a security loophole that could allow anyone to sign up an account with the Tchap app and access groups and channels without requiring an official email address.
In a blog post published today, Robert demonstrated how he was able to create an account with the service using a regular email ID by exploiting a potential email validation bug in the Tchap’s Android app.
“I modified email to firstname.lastname@example.org@email@example.com. Bingo! I received an email from Tchap, I was able to validate my account!” Robert says.
“I am logged as an Elysée employee, and I had access to the public rooms.”
Robert notified his findings to the Matrix team, who quickly released a patch update to fix the issue, which according to the team, was specific only to the DINSIC matrix deployment.