The French Government last week launched a custom messaging application called Tchap, touting it as being “more secure than Telegram.” One small snag however: The platform has already – quelle dommage! – been hacked.
French security researcher Robert Baptiste, a.k.a. Elliot Alderson, downloaded the app from Google Play, and quickly discovered there to be an email validation error when it comes to creating accounts.
The app is supposed to restrict account creation so that only people with government emails are able to use the platform (i.e., working emails ending in @gouv.fr or @elysee.fr, the latter of which is the French presidential residence). However, by appending a legitimate email address for one of these domains to his own, Alderson found that he was cleared by the app’s backend to create an account and gain access to messaging groups.
After carrying out static and dynamic analysis, he found that during the account registration process, the app requests a token to parse email addresses and make sure they’re legitimate. He modified the token field to trick the validation mechanism by supplying a specially formatted email address.
Baptiste’s first attempt failed: “In the requestToken request, I modified [my] email to ‘fs0c131y@protonmail.com@elysee.fr’; hum, no validation email in my inbox,” he said in a blog post on Friday. “Wait, [I thought,] maybe it is waiting a known @elysee.fr email address.”
So, after googling to uncover a legitimate, in-use email (specifically, “presidence@elysee.fr”), he tried again, using “fs0c131y@protonmail.com@presidence@elysee.fr.”
“Bingo! I received an email from Tchap, I was able to validate my account…and gain access to public rooms [in the app],” he explained. The whole, simple process took just over an hour to complete.
The open-source administrator behind the source code for Tchap, Matrix, explained the vulnerability in more detail late last week after it fixed the bug.
The Riot code fork that underpins the app, dubbed sydent, “uses Python’s email.utils.parseaddr function to parse the input email address before sending validation mail to it,” Matrix explained. “But it turns out that if you hand parseaddr an malformed email address of form a@b.com@c.com, it silently discards the @c.com prefix without error. The result of this is that if one requested a validation token for ‘a@malicious.org@important.com’, the token would be sent to ‘a@malicious.org’, but the address ‘a@malicious.org@important.com’ would be marked as validated.”
Matrix updated the code on the backend the same day that Baptiste notified it of the vulnerability, so that it now requires that the parsed email address is the same as the input email address.
We provided a fix which was deployed around 13:00 CET; the issue had not been exploited other than by @fs0c131y. We’re currently doublechecking for any instances of the same problem in other deployments.
— The Matrix.org Foundation (@matrixdotorg) April 18, 2019
“Writing a messaging application is challenging in itself, and in this particular case, it looks like the authentication module was also custom-developed, said Nabil Hannan, managing principal at Synopsys, via email. “The fact that the authentication and user-signup process was not created securely, and it was simply trusting that if the user provided a username that simply ended in ‘@french-government-domain.com’ and allowing them to sign-up and authenticate is completely flawed.”
He added, “For sensitive systems like this, there needs to be out-of-band authentication of the user email (or contact) provided to ensure that a malicious user is not trying to sign up for a sensitive system.”
The results are reminiscent of when a company called Patanjali launched the Kimbho app for the Indian market, claiming to be more privacy-clad than WhatsApp. Baptiste uncovered that not only was it a “security nightmare” as he put it, but also that it was a copy of another messaging app — thus hamstringing its market entry.
In Tchap’s case, the platform, which was developed by the French cybersecurity agency (and named after early French telegraph pioneer Claude Chappe), has been once again shored up, and the French government said that it still plans to require its use in lieu of WhatsApp and Telegram, for any informal communications between government employees, agencies and some handpicked non-governmental organizations.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.