Swiss Army's Threema messaging app was full of holes – at least seven

2023-01-11 08:01

A supposedly secure messaging app preferred by the Swiss government and army was infested with bugs - possibly for a long time - before an audit by ETH Zurich researchers.

Threema downplayed the bugs in a blog post about the research.

The vulnerabilities were found in a protocol that Threema no longer uses, and while the bugs may be "Interesting from a theoretical standpoint, none of them ever had any considerable real-world impact," according to the post.

The three researchers - computer science professor Kenneth Paterson and PhD students Matteo Scarlata and Kien Tuong Truong - noted on a website about the Threema security flaws that they originally disclosed their finding to the company in October 2022, and later agreed on a January 9 public disclosure date.

Threema released its Ibex protocol in late November "To further mitigate our attacks," and the researchers noted they have not audited this new protocol, which was released after their investigation.

While the researchers concede these specific bugs no longer pose a threat to Threema customers, their discovery still highlights the difficulty in assessing "Security claims made by developers of applications that rely on bespoke cryptographic protocols."

News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/11/swiss_army_threema_bugs/

#army #swiss