Security flaw in French government messaging app exposed confidential conversations


The French government just launched its own messaging app called Tchap in order to protect conversations from hackers, private companies and foreign entities. But Elliot Alderson, also known as Baptiste Robert, immediately found a security flaw. He was able to create an account even though the service is supposed to be restricted to government officials.

Tchap wasn’t built from scratch. The DINSIC, France’s government agency in charge of all things digital, forked an open source project called Riot, which is based on an open source protocol called Matrix.

In a few words, Matrix is a messaging protocol that features end-to-end encryption. It competes with other protocols, such as the Signal Protocol that is widely used by consumer apps, such as WhatsApp, Signal, Messenger’s secret conversations and Google Allo’s incognito conversions — Messenger and Allo conversations aren’t end-to-end encrypted by default.

Riot is a Matrix client that works on desktop and mobile. You can join rooms, start private conversations, share photos and do everything you’d expect from a modern messaging app. Here’s what it looks like:

Developing Tchap became essential as Emmanuel Macron’s campaign team relied heavily on Telegram — the French government still uses Telegram and WhatsApp for many