On April 17, the French government introduced an Android application meant to be used by government employees as an internal secure channel for communications. Called Tchap, it was touted as a replacement for WhatsApp and Telegram, providing (in theory) both group and private messaging channels to which only people with government email addresses could join.
Tchap is not intended to be a classified communications system—it runs on regular Android phones and uses the public Internet. But as the DINSIC, the French inter-ministry directorate for information systems that runs Tchap put it, Tchap "is an instant messenger allowing government employees to exchange real-time information on everyday professional issues, ensuring that the conversations remain hosted on the national territory." In other words, it's to keep official government business off of Facebook's and Telegram's servers outside France.
Based on the Riot.im chat application from the open source project Matrix, Tchap is officially still in "beta," according to DINSIC. And that beta test is getting off to a rough start. Within two days, French security researcher Baptiste Robert—who goes by the Twitter handle @fs0c131y (aka Elliot Alderson)—had tapped into Tchap and subsequently viewed all of the internal "public" discussion channels hosted by the service.
On the bright side, DINSIC responded quickly, and the agency is now embracing input from security researchers to help make the application more secure. But as with many "digital transformation" projects, this one was done with perhaps a bit too little prior planning for security.
Im the president!
The name servers set up by the departments and ministries of the French government running Matrix's code were parsing email addresses submitted for new accounts to check against existing email addresses within their directory services. After doing code analysis on the Tchap package posted to Google's Play store, Robert used the Frida proxy tool to alter a Web request for a new account from the app to pass a crafted email address value that grafted his own address onto a known account on the targeted directory server—[email protected], the official email address of the Élysée, the official residence of France's president. The value sent to the server used an @ symbol to separate the two addresses ([email protected]@[email protected]).
Because of the way the directory service validated the email address, it matched the address in the second half of the pair with the known address. But the code that parsed the address for the validation email on the server side, which was built with the Python email.utils module, trimmed off everything after the first valid address. That means Robert got an email back for verification of the account, and the server thought the address was an official government account.
Within two hours of downloading the application, Robert had a validated account and appeared to the system to be an Élysée employee. Since all the accounts on the system are tied directly to the official email accounts of French government officials, he consequently had access to profile information about employees at multiple ministries.
Robert contacted the Élysée, which in turn contacted DINSIC. Within an hour, account creation had been suspended; a patch was deployed and service restored just over three hours later. DINSIC emphasized that Alderson only had access to public "lounges" visible to all messaging users and not to private chat areas or confidential information.
Robert notified the Matrix security team as well, and its network was taken down as developers rebuilt the authentication code. As of 4:00pm EST today, the Matrix website still reported parts of the network were down for "emergency maintenance."
Rebuild status: pretty much all the key systems for https://t.co/vidAnPoIo2 are back online. All integs now work again, almost all bridges are back; all new https://t.co/1bhym6Xh6K; new blog. Thanks for your patience & understanding whilst we do the last bits (eg fedtester).
— Matrix (@matrixdotorg) Read More – Source
[contf] [contfnew]
Ars Technica
[contfnewc] [contfnewc]
