A python vulnerability provided illegitimate access to Tchap, an app that the French government claimed was secure than Telegram—by Marina Kidron

The French government faced embarrassment last week after serious security flaws were discovered in Tchap, a messaging app that they claimed was more secure than Telegram, within an hour of its launch. The vulnerability’s discovery cycle hit the app’s security team like something of a whirlwind: it was discovered, disclosed, fixed and publicly reported all in under one day. So, although the go-live could never be described as being ‘smooth’, the team behind it should still be commended for taking rapid action.

Tchap’s launch: what went wrong?

The app fell on its back very quickly. The app was intended for exclusive use by people who worked at the French government and was meant to restrict account creation so that only people with government emails would be able to use the platform. However, this was swiftly discovered to not be the case.

French security researcher fs0c131y, the self-styled “worst nightmare of Oneplus, Wiko, UIDAI, Kimbho, Donald Daters and others” who also goes by the name of Elliot Alderson (the name of the main character from USA Network’s popular hacker drama Mr. Robot), downloaded the app when it went live and was soon thereafter able to gain illegitimate access. Although the app had been set-up to only accept @gouv.fr or @elysee.fr email addresses, fs0s131y found that any email address which included a governmental domain in the string would be accepted. So, an email address like myemail@gmail.com could be adapted to myemail@gmail.com@gouv.fr and would be understood by the app to be a legitimate account.

Which wouldn’t be a massive problem if the owner of the illegitimate account was then unable to gain entry to Tchap’s main interface. But this wasn’t the case. The app would only read the first part of the inputted email address — the myemail@gmail.com — and would send the validation email through to that account. Essentially, this flaw gave anyone with an email address unfettered access to its sensitive message exchanges.

What caused Tchap’s access problems?

The vulnerability arose as a result of improper sanitization of user-supplied input in Python’s email processing module, email.utils. The specific issue with the module, #34155, was first identified on July 19, 2018, and the open-source parseaddr method wasn’t fixed until April 19 — the day that Tchap’s security flaws were published.

This vulnerability, identified as CVE-2019–11340, currently only mentions that Matrix Sydent is vulnerable. This is likely to change: it’s inevitable that many apps which use email.utils are also affected. To Matrix’s credit, they were able to fix the issue in just a few hours. But knowing that other apps are also impacted by this vulnerability, the question about how long it will take them to patch is still lingering almost a week after the exploit.

How a threat-centric approach helps to improve security

There are obvious concerns surrounding Tchap’s failure to launch. If someone with more malicious intent than fs0s131y discovered the flaw, then they would have been able to gain access to the information shared in the app’s public rooms. If you have a company intranet, or something similar that’s app-based and that you believe should only give access to users with a company email, it’s important to be aware of vulnerabilities like CVE-2019–11340.

Skybox has a threat-oriented vulnerability database which is updated with information from a large number of public and private sources. When a new exploit of a vulnerability occurs, we ensure that it’s published within a maximum of 24 hours. We have multiple records per CVE, which means that the database is usually more comprehensive than the National Vulnerability Database. When new information comes out — as it doubtless will with the vulnerability that affected Tchap — the record will be updated.

It’s important that you know which vulnerabilities exist within your network. CVE-2019–11340 may well be one of them. But if you’re not able to identify the vulnerability, and if you have little contextual understanding of how its exploitation could impact your business, it’s almost impossible to define an effective remediation strategy. Tchap was able to be fixed almost as soon as its flaws were discovered. This isn’t the case for most exploited vulnerabilities — in order to maintain cybersecurity posture, you need to have visibility of your entire environment and you need to be aware of the implications of each vulnerability. Without that level of intelligence, it’s open season for attackers.