"Messenger Billed as Better Than Signal Is Riddled With Vulnerabilities"

Academic researchers have identified critical flaws in Threema, an instant messenger claimed to provide a level of security and privacy unmatched by any other chat service. However, according to the researchers, the flaws fundamentally invalidate the confidentiality and authentication guarantees that are the foundation of any product marketed as delivering end-to-end encryption (E2EE). There are over 10 million Threema users, including the Swiss government, the Swiss army, German Chancellor Olaf Scholz, and other Swiss leaders. The developers of Threema market it as a more secure alternative to Meta's WhatsApp. In Switzerland, Germany, Austria, Canada, and Australia, it is one of the most popular Android apps. The app operates on a custom-designed encryption protocol. Researchers from the ETH research university in Zurich discovered seven vulnerabilities in Threema that cast serious doubt on the app's security. Two of the flaws allow an attacker to cryptographically impersonate a user without special access to a Threema server or app. An attacker can exploit three vulnerabilities to get access to a Threema server. When an attacker has access to an unlocked phone, the remaining two vulnerabilities can be exploited. Threema has garnered widespread praise for its robust E2EE and has undergone at least two security audits prior to these findings. Although the vulnerabilities have been fixed, the continued absence of protections typical in practically all software delivering E2EE, especially software billed as secure enough for use by government departments and high-profile politicians, is of greater concern. This article continues to discuss the vulnerabilities discovered in the core of Threema.

Ars Technica reports "Messenger Billed as Better Than Signal Is Riddled With Vulnerabilities"