Secure is France’s replacement for messaging apps like Telegram and WhatsApp for government’s use. Just this week, the app rolls out and it is surprising finding out that it comes with a security vulnerability.
Updated on 30 November 2023
What is Secure?
Last week, the French Government launched its own messaging application called Tchap. According to them, this secure messaging app like WhatsApp and Telegram is even better than the two popular messaging applications today. However, the said platform is not actually that secured. It is because, in just an hour, Tchap has been hacked due to security flaws.
A French security researcher named Robert Baptiste also known as Elliot Alderson, tested the new messaging application Tchap secure messaging app Android in Google Play. Moreover, he immediately discovered that there is an error in email validation in terms of account creation.
Since the Tchap secure messaging app Android must restrict the creation of an account for unauthorized users. And only allow people with valid government emails. The security flaw it has makes it possible for people like Alderson to clear the backend of the app in order to create an account. This brought him the ability to access even the Tchap messaging groups.
After some analysis, Alderson also found that in the process of account registration, France claimed secure messaging app like WhatsApp request some kind of token. This is to parse email addresses and inspect if they are legitimate. What he did next is that he modified the token field so he could trick the validation mechanism through entering a specially formatted email address.
Alderson failed at first. But after googling how to uncover a legit in-use email, he finally received a confirmation email from Tchap. He explained that the entire process is just simple that it only took him over an hour to finish. Behind Tchap, is the open-source administrator Matrix. After fixing the bug, it released a more detailed explanation about the vulnerability.
At the same day when Alderson found the error, Matrix modified the code on Tchap’s backend. The updated code now requires users to enter the email address that matches the parsed email address.
The Challenge in Developing New Messaging Apps
In an email, the Managing Principal at Synopsys named Nabil Hannan says that writing a new messaging application is truly challenging. Moreover, the case of Tchap secure messaging app Android is really something that is flawed from the very start. Simply allowing a username that ends with ‘@french-government-domain.com’. As well as enabling them to sign-up and be completely verified is a complete security error. And he also said that sensitive systems must require an out-of-band authentication for user emails given to make sure that a user is not trying to enter a sensitive system.
Tchap also has a secure messaging app iPhone available in AppStore. It is developed by the cybersecurity agency of France named after Claude Chappe which is the early French telegraph pioneer. After the hack, the app will still be implemented for government agencies. As well as for selected non-government organizations in replacement for Telegram and WhatsApp.