France made good on its promise to launch a secure government-only chat app — although it almost didn’t turn out that way. The country has introduced a beta version of Tchap, a messaging app that helps officials communicate with each other through Android, iOS and the web with reportedly greater security than they’d have with off-the-shelf apps. All private conversations are encrypted end-to-end, antivirus software screens all attachments and all data is stored in France. You only need a French government email address to sign up, though, and that’s where the security issue resided.
Security researcher “Elliot Alderson” (aka Baptiste Robert) discovered that Tchap’s email address check wasn’t as stringent as it should be. He succeeded in signing up simply by attaching an @elysee.fr (the presidential palace) address to the end of the email address he intended to use — it sent the validation email to his actual account. From there, he could see public chats and theoretically start conversations with government workers.
This won’t be an issue going forward. The researcher got in touch with both the government as well as Matrix, the team behind the open source Riot software at the heart of Tchap. Matrix fixed the issue just in time for the launch, preventing a potential embarrassment.
DINSIC, the French government’s digital agency, promised that Tchap will go through “continuous improvement” in both security and functionality. It saw the last-minute fix as evidence of that approach in action, and planned to start a bug bounty program to incentivize security experts. You might not see officials shift many of their discussions to the app in the near future, then. Whether or not they do, this could help officials wean themselves off of general apps like Telegram (a favorite of President Macron) and reduce the chances of intruders eavesdropping on officials.