France launches secure messaging app – complete with security vulnerability
The French government launched a new message app for state employees April 18, but within hours the application had been found to have a serious security vulnerability.
Tchap, available for both iOS and Android but limited to government employees, was designed by the republic to replace the use of Telegram, with similar features such as end-to-end encrypted messaging.
The idea behind the government launching its own chat app was to keep government communications on French servers and away from third-party apps that may be susceptible to foreign intervention or hacking. In a time of government paranoia about state-sponsored hacking, the French hosting their own data makes sense, but that’s only as good as the app’s security and that was quickly found to be lacking.
The flaw relates to the registration process with the app allowing anyone to register and spy on government communications. Discovered by French security researcher Baptiste Robert, the security flaw allows a user to add a government domain on top of their regular domain to register on the app, such as firstname.lastname@example.org@french-government-domain.com. The flaw came via code written for Riot, an open-source instant-messaging client that was used as the base from Tchap.
According to ZDNet, Matrix, the company behind the Riot client has since fixed the issue and a patch is expected to be available for Tchap shortly.
Nabil Hannan, managing principal at Synopsys Inc. told SiliconANGLE that writing a messaging application is challenging in itself, and in this case, it appears the authentication module was also custom-developed.
“The fact that the authentication and user-signup process was not created securely, and it was simply trusting that if the user provided a username that simply ended in ‘@french-government-domain.com’ and allowing them to sign-up and authenticate is completely flawed,” Hannan said. “For sensitive systems like this, there needs to be out-of-band authentication of the user email (or contact) provided to ensure that a malicious user is not trying to sign up for a sensitive system. It’s critical that systems that need to be secure, go through thorough design reviews (prior to development) and then go through proper assessments like penetration testing, code review and threat modeling to ensure that the system was implemented with the correct security controls and the security requirements were implemented correctly.”
Image: Google Play
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.