The popular French white hat hacker Robert Baptiste (aka @fs0c131y) discovered how to break into
The app was developed by DINSIC (Interministerial Directorate of Digital and Information System and Communication
It aims at replacing popular instant messaging services like Telegram and WhatsApp for government people.
@gouv.fr or @elysee.fr email accounts)
The key point Tchap is that encrypted communications flow through internal servers to prevent cyber attacks carried out by foreign nation-state actors.
News of the day is that Robert Baptiste found a security bug that could allow anyone to sign up an account with the Tchap app and access groups and channels without using an official government email account.
The expert made a dynamic analysis of the mobile app and discovered it implements certificate pinning in the authentication process. Even if he disables it with Frida, during the registration process, the app requests a token.
The expert noticed that depending on the email address provided by the user, the app will refer the “correct” id_server. The list of available servers
“I set id_server to matrix
“So I did another try and in the requestToken request and
The expert demonstrated how to create an account with the service using a regular email ID by exploiting a potential email validation vulnerability in the Android version of the Tchap app.
After he logged as an Elysée employee, he was able to access to the public rooms.
Robert reported the issue the Matrix team who developed the Riot client, and it quickly fixed the bug and released a patch. The released patch was specific only to the application developed by French intelligence.
Just for curiosity, last week Matrix.org warned users of a security breach, a hacker gained unauthorized access to the production databases, including unencrypted message data, access tokens, and also password hashes.
According to Matrix.org, the attacker has exploited a known vulnerability in the Jenkins open source automation server to hijack credentials and gain access to the systems of the organization. Homeservers, source code and packages, identity servers, and Modular.im servers were not impacted.