Published On: Mon, Apr 22nd, 2019

Researcher finds security flaw in French government’s chat app

Share This

A security researcher finds a way to bypass Tchap restrictions limiting access only to those with French government email addresses

Published 8:41 PM, April 22, 2019

Updated 8:41 PM, April 22, 2019

TCHAP. A flaw that would have allowed non-goverment officials to access Tchap is fixed. Image from

TCHAP. A flaw that would have allowed non-goverment officials to access Tchap is fixed. Image from

MANILA, Philippines – A French security researcher on Friday, April 19, uncovered a flaw in the recently-released secure messaging application of the French government, Tchap.

Tchap was launched on April 17 and was meant to allow government officials to securely contact other officials working for the French government. Access to the app is meant to be limited only to those with French government email addresses.

Security researcher Baptiste Robert, known on Twitter as Elliot Alderson or @fs0c131y, found a way to bypass that restriction.

Tchap is a fork (a divergent branch developed from an existing piece of software) based on an open-source project known as Riot, which itself is based off an end-to-end encrypted messaging protocol known as Matrix, which is also open-source. The French agency DINSIC worked with Matrix to develop the application.

Robert found that by modifying his email address to look like it had the ending of a government email address, he could gain access to Tchap.

He reported the issue to Matrix, which fixed the flaw and explained the incident in a statement. The app’s issue, Matrix said, was related to the identification system used by the government.

A TechCrunch report added Robert found a bug in the parsing method on a python module for the app. This has not been fixed since July 2018.

The French government, in its press release on Tchap, also said it would offer a bug bounty program to improve security. –

In an industry as rapidly changing as technology, our Tech section seeks to be always up-to-speed with the latest technology news, gadget and app reviews, tips and analysis.

However, reader support powers our of content. Help us keep you updated by joining Rappler PLUS.

Through Rappler PLUS, you will receive special editorial newsletters, industry reports, and invites to exclusive briefings.

But more than that, you will enable us to continue telling more stories.

Make your move now. Join Rappler PLUS.

Source link

About the Author