Submitted via IRC for Bytram
resubmitted for EarnestGoesToSpace
Bug in French government's WhatsApp replacement let anyone join Élysée chats
On April 17, the French government introduced an Android application meant to be used by government employees as an internal secure channel for communications. Called Tchap, it was touted as a replacement for WhatsApp and Telegram, providing (in theory) both group and private messaging channels to which only people with government email addresses could join.
Tchap is not intended to be a classified communications system—it runs on regular Android phones and uses the public Internet. But as the DINSIC, the French inter-ministry directorate for information systems that runs Tchap put it, Tchap "is an instant messenger allowing government employees to exchange real-time information on everyday professional issues, ensuring that the conversations remain hosted on the national territory." In other words, it's to keep official government business off of Facebook's and Telegram's servers outside France.
Based on the Riot.im chat application from the open source project Matrix, Tchap is officially still in "beta," according to DINSIC. And that beta test is getting off to a rough start. Within two days, French security researcher Baptiste Robert—who goes by the Twitter handle @fs0c131y (aka Elliot Alderson)—had tapped into Tchap and subsequently viewed all of the internal "public" discussion channels hosted by the service.
On the bright side, DINSIC responded quickly, and the agency is now embracing input from security researchers to help make the application more secure. But as with many "digital transformation" projects, this one was done with perhaps a bit too little prior planning for security.
(Score: 2) by JoeMerchant on Wednesday April 24 2019, @01:35PM
They're following the Microsoft development model: users are your best (and often only) testers.
It may not be efficient, or secure, but it does make it easier to hit promised delivery dates.
🌻🌻 [google.com]