On April 17, the French government introduced an Android application meant to be used by government employees as an internal secure channel for communications. Called Tchap, it was touted as a replacement for WhatsApp and Telegram, providing (in theory) both group and private messaging channels to which only people with government email addresses could join.
Tchap is not intended to be a classified communications system—it runs on regular Android phones and uses the public Internet. But as the DINSIC, the French inter-ministry directorate for information systems that runs Tchap put it, Tchap “is an instant messenger allowing government employees to exchange real-time information on everyday professional issues, ensuring that the conversations remain hosted on the national territory.” In other words, it’s to keep official government business off of Facebook’s and Telegram’s servers outside France.
Based on the Riot.im chat application from the open source project Matrix, Tchap is officially still in “beta,” according to DINSIC. And that beta test is getting off to a rough start. Within two days, French security researcher Baptiste Robert—who goes by the Twitter handle @fs0c131y (aka Elliot Alderson)—had tapped into Tchap and subsequently viewed all of the internal “public” discussion channels hosted by the service.
On the bright side, DINSIC responded quickly, and the agency is now embracing input from security researchers to help make the application more secure. But as with many “digital transformation” projects, this one was done with perhaps a bit too little prior planning for security.
I’m the president!
The name servers set up by the departments and ministries of the French government running Matrix’s code were parsing email addresses submitted for new accounts to check against existing email addresses within their directory services. After doing code analysis on the Tchap package posted to Google’s Play store, Robert used the Frida proxy tool to alter a Web request for a new account from the app to pass a crafted email address value that grafted his own address onto a known account on the targeted directory server—[email protected], the official email address of the Élysée, the official residence of France’s president. The value sent to the server used an @ symbol to separate the two addresses ([email protected]@[email protected]).
Because of the way the directory service validated the email address, it matched the address in the second half of the pair with the known address. But the code that parsed the address for the validation email on the server side, which was built with the Python email.utils module, trimmed off everything after the first valid address. That means Robert got an email back for verification of the account, and the server thought the address was an official government account.
Within two hours of downloading the application, Robert had a validated account and appeared to the system to be an Élysée employee. Since all the accounts on the system are tied directly to the official email accounts of French government officials, he consequently had access to profile information about employees at multiple ministries.
Robert contacted the Élysée, which in turn contacted DINSIC. Within an hour, account creation had been suspended; a patch was deployed and service restored just over three hours later. DINSIC emphasized that Alderson only had access to public “lounges” visible to all messaging users and not to private chat areas or confidential information.
Robert notified the Matrix security team as well, and its network was taken down as developers rebuilt the authentication code. As of 4:00pm EST today, the Matrix website still reported parts of the network were down for “emergency maintenance.”
Rebuild status: pretty much all the key systems for https://t.co/vidAnPoIo2 are back online. All integs now work again, almost all bridges are back; all new https://t.co/1bhym6Xh6K; new blog. Thanks for your patience & understanding whilst we do the last bits (eg fedtester).
— Matrix (@matrixdotorg) April 18, 2019
This is why they call it “beta”
This was just one of five flaws Robert found in a period of three days. But the biggest problem was that no work appears to have been done in advance of the beta release of Tchap to confirm the security of its architecture. The Matrix team, which is based in the United Kingdom, confirmed to Alderson by email that “there was no security audit on their solution”—fairly shocking for something that was being touted as a secure government communications tool intended to be safer than Telegram and WhatsApp.
In response to Robert’s posts about additional Tchap flaws, DINSIC posted on Twitter:
Thank you for the report. After analysis, none of these elements is likely to compromise protected information. However, we intend to evolve Tchap to take into account a better management of avatars. We will answer you by email in detail.
Merci pour le signalement. Apres analyse aucun de ces éléments n’est de nature à compromettre des informations protégées. Nous comptons toutefois faire évoluer Tchap pour prendre en compte une meilleure gestion des avatars. Nous vous répondons par email en détail.
— Tchap (@tchap_dinsic) April 21, 2019
Since then, however, the French government has announced a bug bounty program for Tchap. In a press release, a DINSIC spokesperson said, “This beta version will be subject to continuous improvement, both in terms of usability and security. Thus, DINSIC will listen to the experts of the civil society and will take into account any return that they would go back to him to improve the application, as it was the case for a fault—of minor impact—detected on April 18 and corrected in a few hours.”