French Government's Tchap App Security Breach Exposes End-to-End Encryption Flaws

A security incident involving the French government's encrypted messaging app Tchap revealed that a compromised account led to the leakage of sensitive communications, exposing limitations in its end-to-end encryption (E2EE) implementation. The breach occurred when an attacker gained access to a user's account, allowing them to read messages sent before their compromise, as Tchap's E2EE does not retroactively protect past conversations. The app, developed by the French state and based on the Matrix protocol, was designed for secure government communications but faced criticism for its handling of account takeovers. No specific dates or CVE IDs were disclosed in the report. The incident highlights risks associated with account-level compromises in E2EE systems, particularly when encryption keys are not tied to device-specific authentication.