Security researcher “Elliot Alderson” (aka Baptiste Robert) discovered that Tchap’s email address check wasn’t as stringent as it should be. He succeeded in signing up simply by attaching an @elysee.fr (the presidential palace) address to the end of the email address he intended to use — it sent the validation email to his actual account. From there, he could see public chats and theoretically start conversations with government workers.
This won’t be an issue going forward. The researcher got in touch with both the government as well as Matrix, the team behind the open source Riot software at the heart of Tchap. Matrix fixed the issue just in time for the launch, preventing a potential embarrassment.
DINSIC, the French government’s digital agency, promised that Tchap will go through “continuous improvement” in both security and functionality. It saw the last-minute fix as evidence of that approach in action, and planned to start a bug bounty program to incentivize security experts. You might not see officials shift many of their discussions to the app in the near future, then. Whether or not they do, this could help officials wean themselves off of general apps like Telegram (a favorite of President Macron) and reduce the chances of intruders eavesdropping on officials.