On April 17, the French government introduced an Android app designed to be used by civil servants as an internal secure messaging channel. Called Chap, it was called a replacement for WhatsApp and Telegram, providing (in theory) both group and personal message channels to which only people with government email addresses can join.
It is not intended to be a classified communication system – it works on ordinary Android phones and uses the public Internet. But since DINSIC, the French interdepartmental IT department that manages Tchap, Tchap is a messenger that allows civil servants to exchange real-time information about everyday business issues by ensuring that conversations remain on national territory. " words, this is to keep the official state business from Facebook and Telegram servers outside of France.
Based on the Riot.im chat application from the Open Matrix project, Chap is officially still in beta, according to DINSIC. And this beta test starts on a rough start. Within two days, French security researcher Baptist Robert, who runs through Twitter @ fs0c131y (aka Elliot Alderson) – had entered Chap and later seen all internal "public" channels of discussion being served by the service.
On the other hand, DINGSK reacts quickly and the agency is currently absorbing the contribution of security researchers to make the application safer. But, as with many "digital transformation" projects, this was done with a little too little security plans.
I'm the president!
Name servers created by the departments and ministries of the French government implementing the Matrix code analyzed the email addresses sent for new accounts to check against existing email addresses in their services. After analyzing the Tchap package code posted on the Google Play store, Robert uses the Frida proxy tool to change the Web application request for a new account to pass the value of a processed email address that transfixed its own address into a known account. the target directory [email protected], the official email address of Elysées, the official residence of the President of France. The value sent to the server uses the @ symbol to divide the two addresses (anaddress @ protonmail.com @ presidence @ elysee.fr).
Because of the way the directory service confirms the email address, it matches the address in the second half of the pair with the known address. But the code that analyzes the server verification email address that was built with the Python email.utils module cuts everything after the first valid address. This means that Robert received an email to verify the account, and the server thought the address was an official state account.
Within two hours of the withdrawal of the application, Robert had a validated account, and the system seemed to be an employee of Elisha. Because all accounts in the system were directly linked to the official e-mail addresses of the French government employees, he had access to employee profile information in different ministries.
Robert contacted Elizabeth, which in turn contacted DINSIC. Within one hour account creation was suspended; The patch was deployed and the service recovered slightly more than three hours later. DINGSK stressed that Alderson had access only to public "lounges", visible to all users of messages, and not for private chats or confidential information.
Robert also informed the Matrix security team and its network was removed as developers reinstate the authentication code. At 16:00 EST today, the Matrix website still reports parts of the emergency support network.
Restore the status: almost all key https://t.co/vidAnPoIo2 systems are back online. Now all objects are working again, almost all bridges are back; all new https://t.co/1bhym6Xh6K; new blog. Thank you for your patience and understanding while we're making the last bits (e.g., Fedtester).
– Matrix (@matrixdotorg) April 18, 2019
So they call it "beta"
This is just one of five shortcomings Robert has discovered over a three-day period. But the biggest problem is that there is no job done before Chap's beta version confirms the security of his architecture. British-based Matrix's team confirmed to Alderson by e-mail that "there was no security audit of their solution" – surprisingly shocking for something advertised as a secure governmental means of communication designed to be -secure by Telegram and WhatsApp.
In response to Robert's posts for further flaws of Tchap, DINSIC posted on Twitter:
Thank you for the report. After the analysis, none of these elements are likely to compromise the protected information. However, we intend to develop Tchap to take better avatars into account. We will respond by email in detail.
Merci pour le signalement. To analyze aucun de ces éléments n'est est de nature compromettre des informations proteges. New comptoes are the perfect solution for you to use in computing and managing avatars. Nous vous répondons par e-mail and detail.
– Chap (@tchap_dinsic) April 21, 2019
Since then, however, the French government has announced a program of major mistakes for Chap. In a press release, Dinkic's spokesman said: "This beta will be subject to continuous improvement both in terms of usability and security, and would return to it to improve the application, as in the case of guilt – with minor influence – opened on April 18 and corrected after a few hours.