Vulnerability in French Government Tchap Chat App
A researcher found a vulnerability in the French government WhatsApp replacement app: Tchap. The vulnerability allows anyone to surreptitiously join any conversation.
Of course the developers will fix this vulnerability. But it is amusing to point out that this is exactly the backdoor that GCHQ is proposing.
EDITED TO ADD (5/13): Some clarifications.
Vincent Archer • April 24, 2019 6:43 AM
That vulnerability was a bit more stupid than the backdooring.
Basically, to join, your email address had to match the following regexp .@.gouv.fr
Note the absence of termination. Anything after gouv.fr is allowed. So soandso@myserver.gouv.fr.mydomain.com is a valid address that let you join the service.
I’m slightly oversimplifying, but it’s the gist of the first vulnerability. The researcher stopped tweeting after the fifth vuln.