The security of the Threema messenger protocol turned out to be false

2 months ago · 0 comments

An analysis of the cryptographic protocols of the anonymous messenger Threema revealed several vulnerabilities that can bypass authentication protection and recover users' private keys.

Threema is an encrypted messaging app with over 11 million users. According to ETH Zurich experts, flaws in the cryptographic protocol allow a hacker to:

In addition, a cybercriminal can carry out an attack in which the attacker's server tricks the client into "encrypting a message of the server's choice that can be delivered to another user."

According to Theema, the results of the analysis are interesting from a theoretical point of view, but they did not have a significant impact on the real world. The results suggest broad and unrealistic assumptions that could have far more serious implications than the experts' conclusions themselves.

Researchers reported the problem to Threema, and the company released a new communication protocol called Ibex within a few weeks that fixes the flaw.