Security researcher “Elliot Alderson” (aka Baptiste Robert) discovered that Tape’s email address control was not as stringent as it should be. He managed to simply register by attaching an @ elysee.fr address (presidential palace) to the end of the email address he wanted to use ̵
1; the sent validation email to his actual account. From there he could see public chats and theoretically start conversations with government workers.
This will not be a problem in the future. The researcher came in contact with both the government and Matrix, the team behind the open source Riot software in the heart of Tchap. Matrix fixed the problem just in time for the launch, preventing any embarrassment.
DINSIC, the French agency’s digital agency, promised that Tchap will go through “continuous improvement” in both security and functionality. It saw the last minute fix as evidence of this approach in action, and planned to launch a bug-bounty program to stimulate security experts. You may not see officials shifting many of their discussions to the app in the near future then. Regardless of whether they do so, it can help officials discourage general apps like Telegram (a favorite from President Macron) and reduce the risk of intruders intercepting officials.