In a nutshell, the attacks could pave the way for a wide range of exploitation scenarios, namely allowing an attacker to impersonate a client, reorder the sequence of messages exchanged between two parties, clone the account of a victim user, and even leverage the backup mechanism to recover the user's private key. "Ideally, any application using novel cryptographic protocols should come with its own formal security analyses (in the form of security proofs) in order to provide strong security assurances," the researchers said. While Threema has been subjected to third-party code audits at least twice – once in 2019 and a second time in 2020 – the latest findings show that they weren't thorough enough to uncover the problems present in the "cryptographic core of the application." Officially used by the Swiss Government and the Swiss Army, it's also advertised as a secure alternative alongside other services such as Signal, Meta-owned WhatsApp, and Telegram.
"Security and privacy are deeply ingrained in Threema's DNA," the company claims on its website. Threema is an encrypted messaging app that's used by more than 11 million users as of October 2022. The weaknesses have since been addressed as part of updates released by the company on November 29, 2022. Paterson, Matteo Scarlata, and Kien Tuong Truong, who reported the issues to Threema on October 3, 2022. The seven attacks span three different threat models, according to ETH Zurich researchers Kenneth G. A comprehensive analysis of the cryptographic protocols used in the Swiss encrypted messaging application Threema has revealed a number of loopholes that could be exploited to break authentication protections and even recover users' private keys.
0 kommentar(er)
