The French government has had to face the embarrassment of launching a “super secure” messaging app only to learn it had a rather large security hole in its code.
The app, called Tchap, is the French government's attempt to provide a more secure communication channel for its employees than either Telegram and WhatsApp, in use up until now, but deemed insufficiently safe for official state business.
The vulnerability in its underlying protocol (Matrix) has now been fixed, thanks to the intervention of French security researcher who goes by the name Elliot Alderson on Twitter, which is where he announced his discovery – (tweet in French) to the world, and to the authorities.
One of the benefits of using open source technology is that it can, and should be audited for bugs and security vulnerabilities. The French government understood this concept only partially, as they forked the code (creating a copy and then developing it independently) of open source messaging app Riot in order to make their own – but apparently forgot to invest serious work into making sure that the “secure” app is in fact secure.
And as it turns out, this wouldn't have required a lot of work. In a post on Medium Alderson explains that he decided to poke around the app's code, to quickly discover the bug.
In order to sign up to Tchap – whose end-to-end encrypted messages are stored on servers in France for added security – users must have a government email, ending in @gouv.fr or @elysee.fr.
Alderson eventually registered to the service by appending @[email protected] (Elysee being the equivalent in France of the White House) to his ProtonMail address. Tchap then promptly sent him a validation email to this private address, and the researcher logged in as an employee of the French Presidential Palace.
And he found professionals hard at work there – well, not really. Alderson reported that while wandering the virtual corridors of power, he came across a chat room called “yellow room,” created by a member of the French Agriculture Ministry. You guessed it – it's those for French government employees who “love yellow.”
Use The Fastest Browser That Doesn’t Track You
Blocks ads. Blocks tracking. Keeps you and your data private. Free and open source. Up to 8 times faster page loads than Chrome and Safari. Join the Brave revolution today.