Government app hacked. What happened?
What would come in mind if you hear about an app exclusively used by a government organization was infiltrated due to a vulnerability? Checkmate! As a citizen who belongs to that country managed by the government, you will feel worried and less secured.
Last week it was reported by various news source that the app dubbed “Tchap” created by the French government was infiltrated by a white hat hacker.
Tell me more about the app?
Tchap – an app created by the French government which supports end to end encrypted messaging system with the purpose of keeping their officials, parliamentarians and ministers data on servers inside the country over concerns that foreign agencies could use other services to spy on their communications.
It is available to download via Playstore.
Only the following email domains can sign up on Tchap:
- @gouv.fr
- @elysee.fr
It was built using the Riot client.
Riot Client – an open source instant messaging software that implements self-hostable Matrix protocol for end-to-end encrypted communication.
Is this the same Riot and Matrix?
It was a known event that an unknown hacker was able to breach the systems thus stealing confidential information such as unencrypted messages, password hashes, access tokens, and GPG keys the project maintainers used for signing packages. Its main site is Matrix.org where its users were forced to log out due to the intrusion of the hacker prior to the Tchap breach.
Who is the white hat hacker who alerted the Tchap vulnerability?
Luckily, it is a white hat hacker who quickly informed about the vulnerability of Tchap. He is known as Robert Baptiste, a French security researcher aka Elliot Anderson in Twitter.
What was the loophole?
A user can sign up even without owning an email domain belonging to the whitelisted email domains(@gouv.fr, and @elysee.fr). This was possible by working a way around the signup page of the app. Here were the steps used to bypass the whitelisted domains:
- Go to the signup page.
- Enter your email address([email protected]@gouv.fr)
- Receive an email from Tchap.
- Validate your account.
- Now you can log in!
Good news is this was patched, because the Matrix team was notified. The possible bad news, somebody else could have logged in and got hold of sensitive information.
This could have been detected the other way around only if the French government invested more on their security team that could have performed online fraud prevention. Database auditors could have easily checked the integrity of the data through a robust Fraud Management strategy in which some companies can offer as a service.