HideLast Call: Our Black Friday weekend sale ends tonight! Shop now to save on all Techdirt gear »
HideLast Call: Our Black Friday weekend sale ends tonight! Shop now to save on all Techdirt gear »

The French Govt's Hand-Rolled Encrypted Messaging Service (Briefly) Allowed Anyone To Pretend They Were A Government Official

from the inauspicious-debut dept

Early last year, news leaked out the French government was building its own encrypted messaging service. This seemed a bit disingenuous when this same government was routinely calling for backdoors in encryption for everyone else. The potential upside of the government rolling its own is that it would push government officials off third-party services and onto a platform where they might not be compromised along with everyone else if or when these privately-run platforms were hacked/backdoored.

The problem with rolling your own encryption is it's a more daunting task than those asking for it imagine it will be, as Mike Masnick pointed out in last year's post.

However, doing encrypted messaging well is... difficult. It's the kind of thing that lots of people -- even experts -- get wrong. Rolling your own can often get messy, and you have to bet that a government rolling its own encryption for government officials to use is going to be a clear target for nation-state level hackers to try to break in. That's not to say it can't be done, but there are a lot of tradeoffs here, and I'm not sure that the best encryption is going to come from a government employee.

So far, this warning has proven true. The best encryption hasn't come from a government employee. At least, not yet. As Sean Gallagher writes for Ars Technica, the government's handmade messaging service, Tchap, has already been broken by a security researcher.

The name servers set up by the departments and ministries of the French government running Matrix's code were parsing email addresses submitted for new accounts to check against existing email addresses within their directory services. After doing code analysis on the Tchap package posted to Google's Play store, [researcher Baptiste] Robert used the Frida proxy tool to alter a Web request for a new account from the app to pass a crafted email address value that grafted his own address onto a known account on the targeted directory server—presidence@elysee.fr, the official email address of the Élysée, the official residence of France's president. The value sent to the server used an @ symbol to separate the two addresses (anaddress@protonmail.com@presidence@elysee.fr).

Because of the way the directory service validated the email address, it matched the address in the second half of the pair with the known address. But the code that parsed the address for the validation email on the server side, which was built with the Python email.utils module, trimmed off everything after the first valid address. That means Robert got an email back for verification of the account, and the server thought the address was an official government account.

Not only was Robert able to get his faux account validated within two hours of downloading the app, he was also able to obtain plenty of info linked to other government account profiles. On the bright side, the team behind the app reacted quickly to notification of the security flaw and suspended account creation until it could be patched. The French government has also instituted a bug bounty program for Tchap, which will hopefully result in further flaws being addressed before they're exploited by criminals or state-sponsored hackers.

To be fair, Tchap is still in its "beta" stage. But that's not much comfort considering it was rolled out for use in this state, exposing government employees' personal account info and allowing any outsider to take a seat at the Tchap table just by exploiting the system's less-than-robust validation process.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, france


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Canuck, 24 Apr 2019 @ 1:27pm

    Retarded coders

    Gawd, what a bunch of idiots. Can't even parse/verify/reject email addresses correctly. Sounds about right - government coders here can't figure out how to display latitude/longitude to less than eight decimal places. Here's a real example: 46.54111111, -84.32555556. That's right, apparent millimeter or better accuracy from consumer GPSrs...

    The losers don't understand what happens when you use floating point storage for data that has no business being converted to floats. Gorram retards everywhere.


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Essential Reading
Techdirt Insider Chat
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.