Friday , June 18 2021

WhatsApp replacement of the French government allows anyone to join Elysian conversations

Rows of people in a uniformed procession in a palace.
Zoom in / At the same time, the French president congratulates firefighters who save Notre Dame Cathedral from a fire, a security researcher burning a new "secure" chat request for French civil servants to keep them with WhatsApp and Telegram.

On April 17, the French government introduced an Android app designed to be used by civil servants as an internal secure messaging channel. Called Chap, it was called a replacement for WhatsApp and Telegram, providing (in theory) both group and personal message channels to which only people with government email addresses can join.

It is not intended to be a classified communication system – it works on ordinary Android phones and uses the public Internet. But since DINSIC, the French interdepartmental IT department that manages Tchap, Tchap is a messenger that allows civil servants to exchange real-time information about everyday business issues by ensuring that conversations remain on national territory. " words, this is to keep the official state business from Facebook and Telegram servers outside of France.

Based on the chat application from the Open Matrix project, Chap is officially still in beta, according to DINSIC. And this beta test starts on a rough start. Within two days, French security researcher Baptist Robert, who runs through Twitter @ fs0c131y (aka Elliot Alderson) – had entered Chap and later seen all internal "public" channels of discussion being served by the service.

On the other hand, DINGSK reacts quickly and the agency is currently absorbing the contribution of security researchers to make the application safer. But, as with many "digital transformation" projects, this was done with a little too little security plans.

I'm the president!

Name servers created by the departments and ministries of the French government implementing the Matrix code analyzed the email addresses sent for new accounts to check against existing email addresses in their services. After analyzing the Tchap package code posted on the Google Play store, Robert uses the Frida proxy tool to change the Web application request for a new account to pass the value of a processed email address that transfixed its own address into a known account. the target directory [email protected], the official email address of Elysées, the official residence of the President of France. The value sent to the server uses the @ symbol to divide the two addresses (anaddress @ @ presidence @

Because of the way the directory service confirms the email address, it matches the address in the second half of the pair with the known address. But the code that analyzes the server verification email address that was built with the Python email.utils module cuts everything after the first valid address. This means that Robert received an email to verify the account, and the server thought the address was an official state account.

Within two hours of the withdrawal of the application, Robert had a validated account, and the system seemed to be an employee of Elisha. Because all accounts in the system were directly linked to the official e-mail addresses of the French government employees, he had access to employee profile information in different ministries.

Robert contacted Elizabeth, which in turn contacted DINSIC. Within one hour account creation was suspended; The patch was deployed and the service recovered slightly more than three hours later. DINGSK stressed that Alderson had access only to public "lounges", visible to all users of messages, and not for private chats or confidential information.

Robert also informed the Matrix security team and its network was removed as developers reinstate the authentication code. At 16:00 EST today, the Matrix website still reports parts of the emergency support network.

So they call it "beta"

This is just one of five shortcomings Robert has discovered over a three-day period. But the biggest problem is that there is no job done before Chap's beta version confirms the security of his architecture. British-based Matrix's team confirmed to Alderson by e-mail that "there was no security audit of their solution" – surprisingly shocking for something advertised as a secure governmental means of communication designed to be -secure by Telegram and WhatsApp.

In response to Robert's posts for further flaws of Tchap, DINSIC posted on Twitter:

Thank you for the report. After the analysis, none of these elements are likely to compromise the protected information. However, we intend to develop Tchap to take better avatars into account. We will respond by email in detail.

Since then, however, the French government has announced a program of major mistakes for Chap. In a press release, Dinkic's spokesman said: "This beta will be subject to continuous improvement both in terms of usability and security, and would return to it to improve the application, as in the case of guilt – with minor influence – opened on April 18 and corrected after a few hours.

Source link