Vulnerability in French Government Tchap Chat App

A researcher found a vulnerability in the French government WhatsApp replacement app: Tchap. The vulnerability allows anyone to surreptitiously join any conversation.

Of course the developers will fix this vulnerability. But it is amusing to point out that this is exactly the backdoor that GCHQ is proposing.

EDITED TO ADD (5/13): Some clarifications.

Posted on April 24, 2019 at 6:23 AM • 9 Comments

Comments

Vincent ArcherApril 24, 2019 6:43 AM

That vulnerability was a bit more stupid than the backdooring.

Basically, to join, your email address had to match the following regexp .*@.*gouv\.fr

Note the absence of termination. Anything after gouv.fr is allowed. So soandso@myserver.gouv.fr.mydomain.com is a valid address that let you join the service.

I'm slightly oversimplifying, but it's the gist of the first vulnerability. The researcher stopped tweeting after the fifth vuln.

Gunter KönigsmannApril 24, 2019 6:51 AM

...and it was the 2nd one: One of the requirements was that one could backup the public key on the server and when someone found a way to download them they told no sensitive data was lost as hopefully no-one uses their server passwords as pubkey password. Were the french one of the ones who opted for backdoors?

Matthew HodgsonApril 24, 2019 10:45 AM

I'm the project lead for Matrix.org, the open source project which Tchap is built on - unfortunately there's some confusion around this story which I'd like to clarify:

  • The vulnerability didn't allow anyone to surreptitiously join any conversation or add ghost devices. Instead, it let users sign up on the platform and view public chatrooms even if they didn't have a .gouv.fr email address. We patched the bug in roughly 2 hours of it being reported; nobody exploited it other than the original researcher. The other issues reported by the original researcher were accorded minor severity, for what it's worth.
  • It wasn't a regexp-based email validation failure - instead, it was sadly caused by a bug in Python's standard library (email.utils.parseaddr) - https://bugs.python.org/issue34155 to be precise. The punchline is:
    $ python -c 'import email.utils; print email.utils.parseaddr("bob@evil.com@google.com")'
    ('', 'bob@evil.com')
    
    Full details at https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/
  • Matrix protects against the GCHQ-style attack of adding ghost devices by doing double-ratchet based E2E encryption on a per-device rather than per-user basis. Each device has to be verified (either directly or transitively in the near future) to avoid malicious devices getting added.

The original Ars story sadly also has several errors (this email parsing bug only impacted the deployment for France in practice; it didn't take down the rest of the network or Matrix.org - the tweet they linked to is unrelated to Tchap; the deployment for France was audited at the infra level; etc).

Meanwhile, I'm not sure what Gunter's comment is talking about, but I don't think it's to do with Matrix.

It's a bit disturbing to see how the reality of an incident like this can get distorted as the story spreads...

BillApril 24, 2019 12:59 PM

@Matthew Hodgson

Indeed it is disturbing how the exact technical details get all mixed up by "the media" so often....

But here's the situation: we common ordinary people have been bombarded for so long by so many ludicrous disturbing happenings from every government worldwide, that we expect the worst from all of them now.... I feel sorry for those who are really trying their best to do a good job and do the right thing, it must be disheartening for them, it just seems so rare for us common people to find any of them...

MikeApril 25, 2019 4:55 AM

I wouldn't assume the French are good guys. It appears that they usually don't want to be on the same platform as the five eyes when it comes to spying, but it doesn't mean they don't spy.

CBApril 26, 2019 9:51 AM

@Mike

Due to some important conflicts over industrial secrets regarding air and space technologies between Airbus and Boeing / Arianespace and NASA it is understandable that France doesn't want to completely share their spying tools with the five eyes.

But rest assured that even between the five eyes each one has a set of personal secrets that it does not want to share with the 4 others.

Spying on your own friends and hiding some critical info from them is some of the most important activities of any government. Because a trusty friend who turns against you unexpectedly is much more dangerous than an age old enemy who sends you yet another attack as usual. So you should better have some secret treason-mitigating measures just in case some day your huge military power is not enough to keep them in line.

MarcusMay 1, 2019 5:42 AM

I lost my respect to both you and arstechnica. Seriously, reporting fake news and not even correcting the information after you've been told about how wrong it is? This isn't journalism.

This is barely a vulnerability at all. Read the "researcher's" twitter, they are a trolling script kiddie. Why not report about matrix.org breach instead which was a real security issue?

And media orgs expect me not to block ads on this sort of websites?! The author didn't do any research, he didn't even hide the signs of copy and pasting without prior reading. Purely sensational and manipulational.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.