French Government’s Messaging App Hacked Hours after Launch

A French white hat hacker called Robert Baptiste (aka @fs0c131y) discovered how to break into Tchap, a new secure messaging app launched by the French government for encrypted communications between officials and politicians, according to a report by Security Affairs.

The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication of the State), as a project controlled by France’s National Cybersecurity Agency (ANSSI). It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.

Tchap was launched on April 18 and is available on the official iOS and Android app stores, but only French government employees (using @gouv.fr or @elysee.fr email accounts) can sign-up for an account. The app’s key point is that encrypted communications flow through internal servers to prevent cyber-attacks carried out by foreign nation-state actors.

The French government published Tchap’s source code on GitHub, it is based on Riot, a well-known open-source instant messaging client-server package. According to the report, Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.

The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app. After he logged as an Elysée employee, he was able to access to the public rooms. He reported the issue to the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.

Last week, Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes. According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization.