A bug in an email validation allowed one to not only log in but also join groups in the app.
Earlier this month, the French government introduced an app known as Tchap for Android handsets that are meant to be used by its employees as a secure channel for communicating internally. The app was hailed as a WhatsApp and Telegram replacement that provides both private and group messaging services to people only that have government email addresses.
A report by Ars Technica states that the app is by no means a classified communications system but rather a simple app that runs on Android handsets and can be accessed on the public internet. The DINSIC, the French inter-ministry directorate for information systems that runs Tchap states that it “is an instant messenger allowing government employees to exchange real-time information on everyday professional issues, ensuring that the conversations remain hosted on the national territory." Basically, it has been designed to keep official government business off popular social media sites such as Facebook and Telegram’s servers outside France.
The app is based on Riot.im from an open source project called Matrix and officially Tchap is still in beta. However, since it’s still in beta stages, it hasn’t gotten off to the best of starts. Security researcher Baptiste Robert had managed to access Tchap, and in the process managed to view all of the internal discussions that were hosted by the service.
As soon as he got access to this information, he quickly contacted Elysee who put him in touch with DINSIC and within the hour his account creation was suspended. The DINSIC issued a patch and service was restored three hours later. DINSIC has explicitly stated that Roberts only had access to public groups that are visible to all members and not to any private chats or confidential material.
What is actually great is that DINSIC responded quickly and they are now taking inputs from security researchers to help in making Tchap more secure. With that being said, it appears that the launch was a bit rushed with little prior planning for security.