Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts
1

TIL Matrix poorly handed news of a security exploit, first calling it a "feature" then later releasing a CVE to fix it. And Matrix has received zero security audits so far.

5 comments
53% Upvoted
What are your thoughts? Log in or Sign uplog insign up
level 1

Translated article below so you don't have to navigate to Google. Translated via https://www.DeepL.com/


1/ How about a little update on #Tchap? Let's talk about the facts, it will allow everyone to form an opinion.

On March 23rd @_DINSIC published on PlayStore Tchap, a "secure" messaging application for French government employees.

2/ On April 18, a communication campaign begins. We can see in the press articles such as "Tchap a more secure messaging application than Telegram". This is the official launch https://www.phonandroid.com/tchap-letat-lance-une-application-de-messagerie-plus-securisee-que-telegram.html

3/ The same day, I analyze this app and I manage to register on Tchap as an employee of L'Elysée. This security flaw is actually a flaw in the messaging solution called Matrix used by Tchap https://medium.com/@fs0c131y/tchap-the-super-not-secure-app-of-the-french-government-84b31517d144

4/ The contact with the @chap_dinsic managers was perfect. "We thank you, it's nice not to have made the flaw public, we'll think of a bounty bug" That's all a security researcher looks for.

5/ Concerning @matrixdotorg is another story. Their first reaction was to say that the flaw was a deployment problem specific to Chap.

Tweet from @GunstickULM: Ow. A bug for everyone? Is that going to make a CVE? Reply from @matrixdotorg: No, it's not a bug in the Matrix protocol, nor in the normal server implementation; it's specific to the .gouv.fr deployment.

6/ Unfortunately for them this is false because the flaw came from a code written by them. It's not a deployment issue. They were then forced to make a security patch and a CVE was assigned to this vulnerability https://matrix.org/blog/2019/04/18/security-update-sydent-1-0-2/

7/ Since the beginning our exchanges on Twitter as well as by emails have been tinged with aggressiveness. My tweets are unpleasant. I take responsibility for my tweets and the tone of voice. That's what makes it work. This is what has made and is making societies and governments move.

8/ Saturday feeling like I missed something, I dive back into the network capture I did on Thursday. In 1 hour, I find that it is possible to obtain the number of people registered on Tchap by ministry. It is not a big problem but it remains a problem to be considered

9/ I also find that all profiles on Tchap are public (first name and avatar). Aggressively I am told that it is a feature. We can therefore access the Tchap profiles of the Elysée's employees. As a French citizen this shocks me.

10/ By design, a user does not have the possibility to put his profile in private on Tchap.

It is 2019, does Tchap respect GDPR?

11/ Matrix confirmed by email that there was no security audit on their solution.

In the press, we talk about an app more secure than Telegram, in real 0 security audit

12/ In the press there is also talk of a "sovereign" app. Matrix is based in London, there is Firebase made in Google in the app. Don't we have any French people talented enough to code in France?

13/ You also have to understand something. WhatsApp, Messenger and the others are full of security and/or privacy concerns that a geek like me would be happy to explain. On the other hand....

14/.... you have to understand that hundreds of people work on WhatsApp for example. Bright people and for many years. Their application is used by millions of people around the world, all the time.

15/ Millions of dollars have been injected into an app like WhatsApp. So please pack up your com and start working seriously. It is not by customizing an open source app that you will dethrone giants.

16/ I sincerely believe that the project of a "French" app is a good project. However, it requires professionalism and time. I know it's time for the startup nation, but in that case, pack up your startup methods or your...

17/....project will end like most startups: a great adventure that ended badly.

level 2
Original Poster2 points · 1 month ago

Thank you. I should have done this instead.

The French name for GDPR threw me for a loop.

level 3

"Règlement général sur la protection des données"

What a mouthful!

level 1

No new "app" or protocol should be used with the expectation of security. Stick to the tried and true.

level 1

Beep. Boop. I'm a bot.

It seems the URL that you shared contains trackers.

Try this cleaned URL instead: https://translate.googleusercontent.com/translate_c?usg=ALkJrhgXo0YMoPBnNHbg0hf-0bhigvJDtA&xid=17259%2C15700002%2C15700019%2C15700186%2C15700190%2C15700253%2C15700256%2C15700259&tl=en&depth=1&u=https%3A%2F%2Fthreader.app%2Fthread%2F1119868833538478080&sl=auto&rurl=translate.google.com&nv=1

If you'd like me to clean URLs before you post them, you can send me a private message with the URL and I'll reply with a cleaned URL.

More posts from the privacy community
Continue browsing in r/privacy
Community Details

439k

Members

519

Online

The intersection of technology, privacy, and freedom in a digital world.

r/privacy Rules
1.
No Closed Source Software
2.
Submission Rules for Developers
3.
Don’t Engage In Self Promotion
4.
Only Approved Surveys, Fundraising & Petitions Allowed
5.
Be Nice!
6.
No Violence
7.
Topic Already Covered
8.
Using Editorialized Title
9.
Original Source
10.
Meme/Image/Video Posts Generally Not Allowed
11.
Fueling Conspiracy Thinking Isn’t Healthy
12.
No VPN or Crypto-Currency Discussions
Info

Before posting in /r/privacy, read the Sidebar Rules.

Enjoy our Wiki! It has all sorts of nifty advice and explains most topics you’re interested in if you’re reading this.

Related Subreddits:
r/netsec

308k members

r/onions

131k members

r/TOR

67.7k members

r/tails

18.3k members

r/Whonix

1.4k members

r/i2p

17.5k members

r/GnuPG

5.0k members

r/Qubes

4.2k members

r/europrivacy

6.3k members

r/privacytoolsIO

41.7k members