Tchap: The super (not) secure app of the French government
On Wednesday 17th April 2019, the French Government launched a messaging application called “Tchap”. The day of the launch a lot of articles appeared:
- “Tchap : The government launch a messaging app more secure than Telegram”
Tchap est le nomb de la nouvelle messagerie sécurisée développée par les services de l'Etat, a société…www.phonandroid.com
- “With Tchap, the government want to replace Telegram and WhatsApp”
Au revoir Telegram et WhatsApp ? L'Etat français a commencé cette semaine à déployer sa propre messagerie privée…lexpansion.lexpress.fr
When I saw these titles, I remembered my work on Kimbho, an Indian app which was suppose to be the new WhatsApp. Spoiler: It didn’t end well for Kimbho
Patanjali's big leap into India's messaging apps market is already a disaster by day 2. Hours after launching a trial…qz.com
It’s 9am, I decided to analyse the app, you know… just to see if I can find something. My goal was to spend only 1 hour on it.
I downloaded the app from the PlayStore, the current version was 1.0.22_a. As always, I started to use the app as a normal user to see the available functionalities. Argh, in order to create an account, you need to have a @gouv.fr or @elysee.fr email address. I have my first goal: create an account without having an @gouv.fr or @elysee.fr email address.
I decompiled the app and did the usual static analysis. Rapidly, I found out that the app is open source.
A glossy Matrix collaboration client for Android. Contribute to dinsic-pim/tchap-android development by creating an…github.com
It’s time for the dynamic analysis. They implemented certificate pinning in the app. Of course, you can disable it with Frida ;) During the registration process, the app request a token
Depending of your email address, it will use the “correct” id_server. All the available servers are defined in the AndroidManifest.xml:
I set id_server to matrix.agent.elysee.tchap.gouv.fr. For info, Elysée is the French presidential palace. As I choose this server I guessed I should have an @elysee.fr email address. So, in the requestToken request, I modified email to email@example.com@elysee.fr. Hum, no validation email in my inbox…
Wait, maybe it is waiting a known @elysee.fr email address. So I did a Google search “email @elysee.fr”
So I did another try and in the requestToken request and I modified email to firstname.lastname@example.org@email@example.com. Bingo! I received an email from Tchap, I was able to validate my account!
*hacker voice*: I’m in.
I am logged as an Elysée employee and I had access to the public rooms.
Funny thing: an employee of the Ministry of Agriculture created a “Yellow room” for “people who loves the yellow”.
Pro-tip: Stay professional in a professional messaging app (Did I really need to say that, seriously?)
9:00 am: Beginning of the analysis
10:15 am: Holy f***! I’m in
10:35 am: I gave some phone calls in order to contact the French government employee in charge of Tchap.
11:19 am: I disclosed the details of the vulnerability to the Matrix security team.
2:00 pm: Matrix fixed the issue on the Tchap backend https://twitter.com/matrixdotorg/status/1118859344790077441
5:42 pm: Phone call with French government officials
7:48 pm: Matrix published a blog post to explain the security issue in details
We became aware today of a flaw in sydent's validation of email addresses which can lead to a failure to correctly…matrix.org
La messagerie privée sécurisée " made in France " déployée ce jeudi et destinée aux échanges entre services de l'Etat…www.lesechos.fr
Un spécialiste en cybersécurité est parvenu à accéder à l'application Tchap sans y être autorisé. Le tout quelques…www.bfmtv.com
Disponible depuis hier sur Google Play et Apple App Store, la messagerie souveraine Tchap a déjà été victime d'une…www.01net.com
À peine déployée par l'État français, la messagerie privée sécurisée destinée à remplacer des applications grand public…www.rtl.fr
Un lancement en grande pompe, vraiment ? Tchap, l'application de messagerie sécurisée censée remplacer Telegram et…www.leparisien.fr
- Patch made by Matrix to fix the issue
Python's email parser turns malformed addresses into valid ones by removing anything after and including the second…github.com
Sydent: Reference Matrix Identity Server. Contribute to matrix-org/sydent development by creating an account on GitHub.github.com
If you like this article, feel free to follow me on Twitter
The latest Tweets from Elliot Alderson (@fs0c131y). French security researcher. Worst nightmare of Oneplus, Wiko…twitter.com
Update 19/04/19 11h54: I published a technical thread on Twitter to explain the vulnerability in details.
The parseaddr method from the Python email.utils module is RFC compliant but it’s not doing the job correctly. An issue on the Python bug tracker is opened since 2018–07–19…