Security News > 2023 > January > Expert Analysis Reveals Cryptographic Weaknesses in Threema Messaging App

A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes that could be exploited to break authentication protections and even recover users' private keys.

The seven attacks span three different threat models, according to ETH Zurich researchers Kenneth G. Paterson, Matteo Scarlata, and Kien Tuong Truong, who reported the issues to Threema on October 3, 2022.

Threema is an encrypted messaging app that's used by more than 11 million users as of October 2022.

While Threema has been subjected to third-party code audits at least twice - once in 2019 and a second time in 2020 - the latest findings show that they weren't thorough enough to uncover the problems present in the "Cryptographic core of the application."

Also uncovered is a case of replay and reflection attack related to its Android app that occurs when users reinstall the app or change devices, granting a bad actor with access to Threema servers to replay old messages.

It's worth noting that this attack was previously reported to Threema by University of Erlangen-Nuremberg researcher Jonathan Krebs, prompting the company to ship fixes in December 2021.

News URL

https://thehackernews.com/2023/01/expert-analysis-reveals-cryptographic.html