Cybersecurity firm Theori announced on June 2 that it has uncovered structural risks in security software mandated for use in South Korean financial services. The study was jointly conducted with KAIST, Korea University, and Sungkyunkwan University, and has been accepted to USENIX Security 2025, a leading international conference on security research.

The research team analyzed seven security programs—collectively referred to as Korea Security Applications (KSA)—that are widely deployed across financial and public institutions in South Korea. They identified 19 serious vulnerabilities that, while originally intended to block attacks, are in fact designed in ways that bypass browser security models and give access to sensitive system resources, effectively turning them into attack vectors.

Key issues include interception of user keystrokes, exposure of certificate data without encryption, and additional vulnerabilities such as man-in-the-middle (MITM) attacks, remote code execution (RCE), and user tracking.

These programs have been mandatory for over a decade, and are still required for access to many financial and public services. In a user survey conducted by the researchers, 97.4% reported having installed KSA, yet 59.3% said they had no understanding of what the software actually does. On average, each analyzed PC had nine separate KSA programs installed.

Taisic Yun, a security researcher at Theori, stated, “During the analysis of these security applications, we found that attackers could easily bypass or disable the very security functions these tools claim to provide. It raises serious questions about whether such systems are delivering on their intended security goals in real-world conditions.”

Through this research, Theori warns that the current practice of mandating the installation of security software that does not adhere to international security standards may in fact increase security risks. The team emphasizes the urgent need to shift toward web standards and browser-native security architectures.