A vulnerability in the Tchap Chat application exposed the French government

Tchap was designed exclusively for use by individuals working within the French government, aiming to restrict account creation so that only those with government-issued email addresses could access the platform. However, it soon became evident that this restriction was flawed.

A French security researcher, using the pseudonym “Eliot Alderson – fs0c131y”, downloaded the application immediately after its launch and was able to gain unauthorized access within a short period. Although Tchap was configured to accept only email addresses in the gouv.fr and elysee.fr domains, fs0c131y discovered a critical vulnerability: any email address containing a government domain within its string was accepted. This meant that an email like myemail@gmail.com could be altered to myemail@gmail.com@gouv.fr, and the system would recognize it as a legitimate government email.

This flaw would have been less concerning if unauthorized users were unable to access Tchap’s main user interface. Unfortunately, that was not the case. The application only processed the first part of the manipulated email address (myemail@gmail.com) and sent the account confirmation email to that inbox. Essentially, this oversight allowed anyone with an email address to register and potentially gain access to the platform’s confidential message exchanges.

The vulnerability arose due to improper sanitization of user-supplied data in the email processing module created in Python – email.utils. The issue with this module has been known since July 19, 2018, but it remained unfixed by the time the Tchap application was released.

The vulnerability, identified as CVE-2019-11340, indicates that the Matrix Sydent application is susceptible to attacks. This is likely to change soon, but it is inevitable that many other applications using email.utils are also at risk. Fortunately, the issue within Matrix was resolved within a few hours. However, knowing that this vulnerability affects other applications, the question remains: how long will it take for them to fix their source code now that the exploit was discovered a week ago?

There are obvious concerns related to the failure of the Tchap app. Had someone with more malicious intent than the user “fs0s131y” discovered the vulnerability, they could have gained access to information shared in the “public rooms” of the application. If you have an application that uses the email.utils module for user registration via company emails, it is essential to be aware of vulnerabilities like CVE-2019-11340.

Skybox has a vulnerability database that is updated from multiple public and private sources. When a new security flaw is discovered, we ensure it is published within a maximum of 24 hours. We have many CVE entries, meaning our database is typically more comprehensive than the NVD (National Vulnerability Database). When new information surfaces – as in the case of the Tchap app – the entry in the database will be updated.

It is crucial to know which vulnerabilities exist within your network. CVE-2019-11340 could be one of them. However, if you are unable to identify vulnerabilities in your network and understand the context of your network, which defines how their exploitation might impact your business, creating an effective countermeasure strategy is almost impossible. Tchap was able to fix the detected vulnerability almost immediately after discovery. However, this is not the case for most vulnerabilities. To stay secure against cyberattacks, we must have full visibility of our entire infrastructure and be aware of the consequences of each vulnerability. Without this type of intelligence, our IT environment is wide open to attackers.

Source: www.skyboxsecurity.com