Hacker Breaks Into French Government-Only Messaging App

This week France launched a secure government only messaging app in order to protect government official’s chats. The app, called Tchap is supposed to have elevated levels of security compared to off the self apps like Telegram, which French government officials were using until recently. All conversations on the app are protected with end-to-end encryption and antivirus, and all data will be stored on French servers, ensuring it stays within the country.

Countries around the world are becoming increasingly concerned with where their data is being held. Just last week we discussed how Russia has fined Facebook and Twitter $47 for failing to disclose where the data of Russia citizens is being held after Russia passed a law in 2016 that required data of their citizens to be held on servers within its territory.

While a $47 fine may seem comical, this move is likely the first step in an overall plan to crack down on the handling of citizen data. Russia blocked LinkedIn in 2016 for the same reasons.

It’s fair to speculate that French government officials are probably discussing things that the rest of us should not be privy to and so it’s understandable that they are worried about the data getting into the wrong hands.

The chat app is only available to French government officials and at present only between 20 and 30 officials are using the app, but there are plans to roll it out across all officials and make it mandatory by summer 2019.

A white hat hacker has now found a way to get into the secure messaging app. The app can be downloaded on the Google Play Store any anyone, but only users who have a French government email address should be able to sign up and access the chat channels. However, French security researcher Robert Baptiste, who goes by Elliot Alderson on Twitter, found a security loophole.

Robert published a blog post discussing how he pulled off the trick.

So I did another try and in the requestToken request and I modified email to fs0c131y@protonmail.com@presidence@elysee.fr. Bingo! I received an email from Tchap, I was able to validate my account!

*hacker voice*: I’m in.

I am logged as an Elysée employee and I had access to the public rooms.

Once Robert was able to get in he notified the Matrix team behind the messaging app software. The team quickly released a fix for the issue. The Tchap app is built using the riot client, an open source Matrix client with an emphasis on performance and usability.

With a security breach straight after its launch, is Tchap really a more secure alternative to other messaging apps? On April 12 hackers managed to deface the Matrix website and steal unencrypted private messages, password hashes, access tokens and more which lead to a shut down in production for several hours.

Perhaps France has been too quick to move to an alternative when the threat of intercepted messages on Telegram didn’t appear to be imminent. However, Matrix does seem committed to providing a safe and secure messaging app and are quick to respond to problems when they do occur. Only time will tell whether the French government made the right choice.