Threema’s downplayed reaction to security analysis criticized

SecurityWeek reports that open source messaging app Threema has been criticized for minimizing a report by Swiss university ETH Zurich detailing that the platform could be leveraged to execute seven different attack techniques. Threat actors could exploit the messaging platform's authentication and encryption vulnerabilities to secure message metadata, avert message delivery, perform account cloning, and recover Threema ID-related private keys, as well as encrypt compromising messages that would be later sent to users, according to the ETH Zurich study. While mitigations and a new protocol have been released by Threema in response to the findings, Threema noted no "considerable real-world impact" from any of the attack methods described in the study. "Most [attacks] assume extensive and unrealistic prerequisites that would have far greater consequences than the respective finding itself," said Threema. Such a response was noted by ETH Zurich Professor Kenneth Paterson, who was part of the study, to be "unexpectedly dismissive." Other cybersecurity experts, including Andreas Steiger, have also slammed Threema for an unprofessional and aggressive response to the findings.