France’s ‘Secure’ Telegram Replacement Hacked Almost Instantly

France’s ‘Secure’ Telegram Replacement Hacked Almost Instantly

The French Government last week launched a custom messaging application called Tchap, touting it as being “more secure than Telegram.” One small snag problem: The platform has already been hacked!

French security researcher Robert Baptiste, a.k.a. Elliot Alderson, downloaded the app from Google Play, and quickly discovered there to be an email validation error when it comes to creating accounts.

The app is supposed to restrict account creation so that only people with government emails are able to use the platform (i.e., working emails ending in @gouv.fr or @elysee.fr, the latter of which is the French presidential residence). However, by appending a legitimate email address for one of these domains to his own, Alderson found that he was cleared by the app’s backend to create an account and gain access to messaging groups.

After carrying out static and dynamic analysis, he found that during the account registration process, the app requests a token to parse email addresses and make sure they’re legitimate. He modified the token field to trick the validation mechanism by supplying a specially formatted email address.

Baptiste’s first attempt failed: “In the requestToken request, I modified [my] email to ‘This email address is being protected from spambots. You need JavaScript enabled to view it.@elysee.fr’; hum, no validation email in my inbox,” he said in a blog post on Friday. “Wait, [I thought,] maybe it is waiting a known @elysee.fr email address.”

So, after googling to uncover a legitimate, in-use email (specifically, “This email address is being protected from spambots. You need JavaScript enabled to view it.”), he tried again, using “This email address is being protected from spambots. You need JavaScript enabled to view it.@This email address is being protected from spambots. You need JavaScript enabled to view it..”

Advertisement

“Bingo! I received an email from Tchap, I was able to validate my account…and gain access to public rooms [in the app],” he explained. The whole, simple process took just over an hour to complete.

The open-source administrator behind the source code for Tchap, Matrix, explained the vulnerability in more detail late last week after it fixed the bug.

The Riot code fork that underpins the app, dubbed sydent, “uses Python’s email.utils.parseaddr function to parse the input email address before sending validation mail to it,” Matrix explained. “But it turns out that if you hand parseaddr an malformed email address of form This email address is being protected from spambots. You need JavaScript enabled to view it.@c.com, it silently discards the @c.com prefix without error. The result of this is that if one requested a validation token for ‘This email address is being protected from spambots. You need JavaScript enabled to view it.@important.com’, the token would be sent to ‘This email address is being protected from spambots. You need JavaScript enabled to view it.’, but the address ‘This email address is being protected from spambots. You need JavaScript enabled to view it.@important.com’ would be marked as validated.”

Matrix updated the code on the backend the same day that Baptiste notified it of the vulnerability, so that it now requires that the parsed email address is the same as the input email address.

“Writing a messaging application is challenging in itself, and in this particular case, it looks like the authentication module was also custom-developed, said Nabil Hannan, managing principal at Synopsys, via email. “The fact that the authentication and user-signup process was not created securely, and it was simply trusting that if the user provided a username that simply ended in ‘@french-government-domain.com’ and allowing them to sign-up and authenticate is completely flawed.”

Advertisement
SmartThings Monitor Your Home or Office while away at SmartHome.com Order here!

He added, “For sensitive systems like this, there needs to be out-of-band authentication of the user email (or contact) provided to ensure that a malicious user is not trying to sign up for a sensitive system.”

The results are reminiscent of when a company called Patanjali launched the Kimbho app for the Indian market, claiming to be more privacy-clad than WhatsApp. Baptiste uncovered that not only was it a “security nightmare” as he put it, but also that it was a copy of another messaging app — thus hamstringing its market entry.

In Tchap’s case, the platform, which was developed by the French cybersecurity agency (and named after early French telegraph pioneer Claude Chappe), has been once again shored up, and the French government said that it still plans to require its use in lieu of WhatsApp and Telegram, for any informal communications between government employees, agencies and some handpicked non-governmental organizations.

#European Tech News

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Popular Cyber News

Top Tips to Protect Your Business Against Social Media Mistakes

Top Tips to Protect Your Business Against Social Media Mistakes

11 May, 2019

Don't let social media become the go-to platform for cybercriminals looking to steal sensitive corporate information or ...

Study Shows Extent of Cyber Risk

Study Shows Extent of Cyber Risk

10 May, 2019

A new study shows SMBs face greater security exposure, but large companies still support vulnerable systems as well. ...

How to Secure your Azure Storage accounts

How to Secure your Azure Storage accounts

14 May, 2019

Enterprise data is growing exponentially and becoming more complicated, making it harder to manage, and an even bigger c...

Malware: Doesn't need to be new to cause serious damage

Malware: Doesn't need to be new to cause serious damage

05 May, 2019

The good news is: The development of new malware exploits has slowed significantly.

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

Vodafone is Challenging Huawei Report of Telnet 'Backdoor'

01 May, 2019

Vodafone is challenging a Bloomberg report that security vulnerabilities and backdoors within Huawei networking equipmen...

Twitch streamers take action to secure their accounts against hacks

Twitch streamers take action to secure their accounts against hacks

30 April, 2019

Twitch has an account hacking problem.

Microsoft adds Plug and Play to IoT

Microsoft adds Plug and Play to IoT

03 May, 2019

Microsoft just announced that it wants to add the advantages of Plug and Play, which allows you to plug virtually any pe...

GDPR Data Privacy Regulation Suggested Steps

GDPR Data Privacy Regulation Suggested Steps

11 May, 2019

This May marks the first anniversary of the European Union’s General Data Protection Regulation having taken effect...

Todays Cloud Security

Todays Cloud Security

06 May, 2019

Enterprise cloud security is making real progress, however emerging technologies call for security teams to keep up with...

×

Sign up to keep in touch!

Be the first to hear th latest Cyber and Tech News straight to your mailbox.

Check out our Privacy Policy & Terms of use
You can unsubscribe from email list at any time