The French government launched a new message app for state employees April 18, but within hours the application had been found to have a serious security vulnerability.

Tchap, available for both iOS and Android but limited to government employees, was designed by the republic to replace the use of Telegram, with similar features such as end-to-end encrypted messaging.

The idea behind the government launching its own chat app was to keep government communications on French servers and away from third-party apps that may be susceptible to foreign intervention or hacking. In a time of government paranoia about state-sponsored hacking, the French hosting their own data makes sense, but that’s only as good as the app’s security and that was quickly found to be lacking.

The flaw relates to the registration process with the app allowing anyone to register and spy on government communications. Discovered by French security researcher Baptiste Robert, the security flaw allows a user to add a government domain on top of their regular domain to register on the app, such as name@domain.com@french-government-domain.com. The flaw came via code written for Riot, an open-source instant-messaging client that was used as the base from Tchap.

According to ZDNet, Matrix, the company behind the Riot client has since fixed the issue and a patch is expected to be available for Tchap shortly.

Nabil Hannan, managing principal at Synopsys Inc. told SiliconANGLE that writing a messaging application is challenging in itself, and in this case, it appears the authentication module was also custom-developed.

“The fact that the authentication and user-signup process was not created securely, and it was simply trusting that if the user provided a username that simply ended in ‘@french-government-domain.com’ and allowing them to sign-up and authenticate is completely flawed,” Hannan said. “For sensitive systems like this, there needs to be out-of-band authentication of the user email (or contact) provided to ensure that a malicious user is not trying to sign up for a sensitive system. It’s critical that systems that need to be secure, go through thorough design reviews (prior to development) and then go through proper assessments like penetration testing, code review and threat modeling to ensure that the system was implemented with the correct security controls and the security requirements were implemented correctly.”

Image: Google Play