Crypto audit of Threema revealed many vulnerabilities

2023-01-11 12:24

Researchers have discovered cryptographic vulnerabilities in Swiss-based secure messaging application Threema that may have allowed attackers to do things like break authentication or recover users' long-term private keys.

The vulnerabilities have been fixed and Threema has since switched to a new communication protocol they designed with the help of external cryptographers.

"We believe that all of the vulnerabilities we discovered have been mitigated by Threema's recent patches. This means that, at this time, the security issues we found no longer pose any threat to Threema customers, including OnPrem instances that have been kept up-to-date. On the other hand, some of the vulnerabilities we discovered may have been present in Threema for a long time," the researchers commented.

"Previous independent audits of Threema did not review the cryptographic core of the application. Such an analysis should be a minimum requirement for any secure messenger, especially one being used in sensitive environments," they explained.

"Ideally, any application using novel cryptographic protocols should come with its own formal security analyses in order to provide strong security assurances. Such an analysis can help to reduce uncertainty about whether further serious cryptographic vulnerabilities still exist in Threema."

Ibex, the new communication protocol in Threema offers some security features that the previous one did not - namely, forward secrecy - but its security should be independently and thoroughly tested.

News URL

https://www.helpnetsecurity.com/2023/01/11/threema-vulnerabilities/

#audit #crypto #vulnerabilities