Beware, this secure messaging app has major security issues.


Maxence Glineur

January 14, 2023 at 6:30 p.m.

9

threema snow © © Threema

© Threema

Encrypted services are popular, and a growing number of major public and private players are using them. But, with such responsibilities, the interest of researchers and hackers is even more tenfold, and the publisher of Threema has just paid the price.

Used by the German Chancellor or even by the Swiss government and military, Threema boasts of being more reliable than its competitors, such as Signal, also based in Switzerland. But recent studies have highlighted several flaws in its security protocol.

Data from millions of vulnerable users

A computer science student from Zurich, along with his two thesis supervisors, managed to thwart the application’s defenses using several different methods. They thus found a wide range of situations: the usurpation of a user’s identity, the reorganization of the succession of messages exchanged, the cloning of an account and even the exploitation of the backup mechanism to recover the key. secret of a user.

Some of these flaws, which require direct access to the victim’s device, could allow a third party to scan the latter’s future messages without their knowledge. A rather worrying finding, given some very important customers of the company. It is the so-called maximum security advanced by Threema which is called into question here.

Discovered and communicated to developers in early October, the flaws were closed nearly two months later as a new security protocol was rolled out to the messaging service. But, nothing says if these vulnerabilities have been exploited in the meantime, or even before the discovery of the Swiss researchers. The latter, moreover, made their conclusions public at the beginning of the year, provoking a public response from Threema the same day. The publisher expressed its thanks to the researchers, while emphasizing that none of the attack methods described ” never had a significant impact in the real world. »

A puzzled response from the editor.

The company took the opportunity to say that its teams were already working on fixes before the researchers contacted them. While adding in a tweet that “ today’s academia forces researchers and even students to desperately oversell their results. Strongly criticized by the cybersecurity community for its mistrust, even its contempt of the researchers concerned, Threema had already been pinned in January 2018 for security flaws in its Android application.

A few months earlier, it was the turn of the MEGA cloud storage service to see its security called into question. If the market for encrypted services is not to be questioned, it is useful to keep in mind that, even if it is considered unlikely, a hack is always possible. Moreover, even if companies like Threema have strong founding principles in terms of security, and if their tools seem infallible, many depend on their reactivity in the event of a failure, and their sincerity towards their customers and above all …of themselves.

Source : The Hacker News

Best instant messaging application, the 2023 comparison

If the SMS still exists today, it must be admitted that it has lost popularity exponentially since the advent of online instant messaging, which makes it possible to share much more content, unlike the simple texts or images allowed by SMS/MMS. However, faced with the growing offer of online tools to communicate with loved ones, it can sometimes be difficult to get a good idea of ​​the service that best suits us. To help you, here is our comparison of the 9 best instant messengers in 2023.
Read more



Source link -99