A couple of days ago we told you about this brand new app that the French government has developed specifically for in-house communications between government employees and agencies. While there was mention that the Tchap messaging app was far from perfect, it looks like there are quite a few bugs that they have to work on before it can be touted as a proper and secure app that other governments can emulate. For now, they’re downplaying it and hopefully fixing what needs to be fixed.
To be fair, the French government didn’t really position Tchap as a classified communications system but rather a more secure alternative to using apps like WhatsApp or Telegram when communicating informally with other government employees, agencies, and certified organizations. However, it looks like they have a lot of kinks that need fixing yet and since they’re still in beta, they have leeway to deal with those issues. And boy, does it have issues.
According to ArsTechnica, a French security researcher named Baptiste Robert was able to exploit these weaknesses. He was able to fool the app into thinking he was a government employee by analyzing the code and using a proxy tool. Consequently, he was able to view all of the internal public discussions that were hosted by the service. He contacted already the DINSIC, the inter-ministry that runs the app and they were able to immediately suspend account creation.
Over three days, Robert was actually able to find five flaws in the app. The Matrix team which built the app and is based in the UK said that they did not get a security audit on their solution from the French government. The DINSIC for its part said that while the elements mentioned will not compromise protected information, they will still be taking time to have better management of the avatars.
The DINSIC has also now announced a bug bounty program so that they can “listen to the experts of civil society” and reward those who will be able to catch other bugs and flaws that the app may still have. Hopefully, no government secrets or confidential materials will be harmed in this experiment.