A team of researchers from ETH Zurich uncovered multiple security vulnerabilities in Threema, a popular app that purports to provide secure communication through end-to-end encryption.
The app is used by over 10 million people and 7,000 organizations worldwide, including some high-profile politicians and the Swiss army.
The researchers identified seven potential attacks against Threema’s protocol that could threaten the privacy of communications on the app, potentially lead to account takeovers, trick clients into sending private keys to spoofed servers, and more.
Upon receiving the research findings in October 2022, the software company behind Threema promptly developed a stronger protocol named “Ibex” to address the issues.
Despite this, the company downplayed the significance of the research, stating that the reported vulnerabilities were no longer relevant to the current protocol and had no real-world impact on its product.
Attacks on the Protocol
The researchers at ETH Zurich investigated Threema to validate the claims the software vendor made about its security and found several issues that contrast them.
The seven attacks summarized in a dedicated portal the researchers set up to publicize the issues are the following:
Ephemeral key compromise impersonation: an attacker could impersonate a client to the server by stealing their ephemeral key, which also appears to be reused by the platform. Vouch box forgery: an attacker could trick a user into sending a valid vouch box, which could then be used to permanently impersonate the client to the server. Message reordering and deletion: a malicious server could forward messages