French chat app for civil servants was accessible to outsiders due to bug

A privacy-focused communication app from the French government was cracked almost immediately after its release. The French government had developed Tchap as an internal messaging service, but a security researcher soon managed to gain access to the service himself.

The app was only intended for internal use by French government officials. They could access with an email address ending in @gouv.fr or @elysee.fr. A security researcher who considers himself Elliot Alderson calls, however, managed to get in by pasting @elysee.fr behind his own full email address. By gaining access to the public channels, he could read along with communications between officials.

Tchap is a fork of the existing chat app Riot. In it, users can create public channels and chat privately. The app works on the basis of the Matrix protocol, an alternative to the Signal protocol with which WhatsApp is also encrypted in addition to Signal. Messages on Tchap have end-to-end encryption and are stored on French servers.

The bug would be in the way certain Python modules are parsed. The researcher passed the leak on to the Matrix developers and waited to publish until the leak was fixed. He later described his findings in a blog post. The leak has now been closed and, according to Matrix, it has not been abused.

The Tchap app was released in beta by the French government on Wednesday. Tchap should be a secure alternative to WhatsApp and Telegram, two apps that were widely used by officials. Tchap was created by the Direction interministérielle des systèmes d’information et de communication de l’Etat of Dinsic. That is the French government service that deals with digital matters.