Swiss Army’s Threema messaging app was full of holes – at least seven

A supposedly secure messaging app preferred by the Swiss government and army was infested with bugs – possibly for a long time – before an audit by ETH Zurich researchers.

The university’s applied cryptography group this week published research [PDF] detailing seven vulnerabilities in Threema’s home-grown cryptographic protocols. The vulnerabilities, if exploited, could have allowed miscreants to clone accounts and read their messages, as well as steal private keys and contacts and even manufacture compromising material for blackmail purposes. 

While the Switzerland-based app – which bills itself as a more-secure and non-US-based alternative to WhatsApp – isn’t as widely used as Signal or Telegram, its data centers are located in Alpine territory. That makes it a popular messaging app for users – like the Swiss army – who want to avoid potential snooping from overseas governments. It boasts more than ten million users and 7,000 on-premise customers – including German chancellor Olaf Scholz.

Threema downplayed the bugs in a blog post about the research. The vulnerabilities were found in a protocol that Threema no longer uses, and while the bugs may be “interesting from a theoretical standpoint, none of them ever had any considerable real-world impact,” according to the post.

Here’s more of the Swiss company’s statement:

The three researchers – computer science professor Kenneth Paterson and PhD students Matteo Scarlata and Kien Tuong Truong – noted on a website about the Threema security flaws that they originally disclosed their finding to the company in October 2022, and later

Read more

Explore the site

More from the blog

Latest News