By “Chat app” we don’t mean an app to swipe through pictures of cats, but the French government’s actual chatting application, Tchap. The newly-launched app is designed for government officials to communicate securely, using internal servers to avoid wannabe spies (or actual spies from foreign agencies) having a look in on what they are saying.
Of course this means people were always going to give it a try at least and that’s exactly what white-hat hacker, Robert Baptiste, decided to do. Robert found a loophole in the app’s email verification, enabling him to sign up, despite not having a verified government email address. You see, anyone can download the app. It’s free on the Google Play Store.
The only thing stopping everyone getting on is that you have to sign up with a government email address and then confirm signing up by clicking on a link in the verification email. Official government email addresses would have to be something approved already such as @gouv.fr or @elysee.fr.
To get around this, Robert amended his email address from “firstname.lastname@example.org” to “email@example.com@firstname.lastname@example.org”
This tricked the validation method into believing it was an official email address and sent him the validation email, which he promptly clicked on and gained access to the app. Being a white-hat hacker he obviously didn’t snoop on any secrets. Instead he just revealed that he had access to the Government’s public chatrooms and told the developers, Matrix, about the bug before anyone else could access it with more nefarious intent. Matrix quickly released a patch with an update to fix this vulnerability.