Marina KidronApril 24, 2019

The French government faced embarrassment last week after serious security flaws were discovered in Tchap, a messaging app that they claimed was more secure than Telegram, within an hour of its launch. The vulnerability’s discovery cycle hit the app’s security team like something of a whirlwind: it was discovered, disclosed, fixed and publicly reported all in under one day. So, although the go-live could never be described as being ‘smooth’, the team behind it should still be commended for taking rapid action.

Tchap’s launch: what went wrong?

The app fell on its back very quickly. The app was intended for exclusive use by people who worked at the French government and was meant to restrict account creation so that only people with government emails would be able to use the platform. However, this was swiftly discovered to not be the case.

French security researcher fs0c131y, the self-styled “worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, Donald Daters and others” who also goes by the name of Elliot Alderson (the name of the main character from USA Network’s popular hacker drama Mr. Robot), downloaded the app when it went live and was soon thereafter able to gain illegitimate access. Although the app had been set-up to only accept or email addresses, fs0s131y found that any email address which included a governmental domain in the string would be accepted. So, an email address like could be adapted to and would be understood by the app to be a legitimate account.

Which wouldn’t be a massive problem if the owner of the illegitimate account was then unable to gain entry to Tchap’s main interface. But this wasn’t the case. The app would only read the first part of the inputted email address – the – and would send the validation email through to that account. Essentially, this flaw gave anyone with an email address unfettered access to its sensitive message exchanges.

The view from inside Tchap, as shared by fs0c131y

  • What caused Tchap’s access problems?

The vulnerability arose as a result of improper sanitization of user-supplied input in Python’s email processing module, email.utils. The specific issue with the module,  #34155, was first identified on July 19, 2018, and the open-source parseaddr method wasn’t fixed until April 19 – the day that Tchap’s security flaws were published.

This vulnerability, identified as CVE-2019-11340, currently only mentions that Matrix Sydent is vulnerable. This is likely to change: it’s inevitable that many apps which use email.utils are also affected. To Matrix’s credit, they were able to fix the issue in just a few hours. But knowing that other apps are also impacted by this vulnerability, the question about how long it will take them to patch is still lingering almost a week after the exploit.

  • How a threat-centric approach helps to improve security

There are obvious concerns surrounding Tchap’s failure to launch. If someone with more malicious intent than fs0s131y discovered the flaw, then they would have been able to gain access to the information shared in the app’s public rooms. If you have a company intranet, or something similar that’s app-based and that you believe should only give access to users with a company email, it’s important to be aware of vulnerabilities like CVE-2019-11340.

Skybox has a threat-oriented vulnerability database which is updated with information from a large number of public and private sources. When a new exploit of a vulnerability occurs, we ensure that it’s published within a maximum of 24 hours. We have multiple records per CVE, which means that the database is usually more comprehensive than the National Vulnerability Database. When new information comes out – as it doubtless will with the vulnerability that affected Tchap – the record will be updated.

It’s important that you know which vulnerabilities exist within your network. CVE-2019-11340 may well be one of them. But if you’re not able to identify the vulnerability, and if you have little contextual understanding of how its exploitation could impact your business, it’s almost impossible to define an effective remediation strategy. Tchap was able to be fixed almost as soon as its flaws were discovered. This isn’t the case for most exploited vulnerabilities – in order to maintain cybersecurity posture, you need to have visibility of your entire environment and you need to be aware of the implications of each vulnerability. Without that level of intelligence, it’s open season for attackers.

Related posts

Cisco NX-OS and FXOS: 33 New Vulnerabilities in One Week: Cisco recently published a large number of vulnerabilities – see if you were affected

Drupalgeddon2 Attack Puts Sites at Risk Worldwide: Read what happened when open-source CMS Drupal was hit by a series of attacks last year

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

What’s new in the Skybox Security version 11.5 release
Read More
Cryptomining is hottest new malware type, research reveals
Read More
Three ways to modernize your OT security programs
Read More
How to manage third-party cyber risk in banking and financial services
Read More
Vulnerability and Threat Trends Report highlights the importance of cyber exposure analysis that goes beyond CVSS rating
Read More
Skybox 2021 Vulnerability and Threat Trends mid-year report
Read More