The Sonar Research team discovered critical code vulnerabilities in Proton Mail, Skiff and Tutanota. This post covers the technical details of the XSS vulnerability in Proton Mail.

Key Information

  • In June 2022, the Sonar Research team discovered critical code vulnerabilities in multiple encrypted email solutions, including Proton Mail, Skiff, and Tutanota.

  • These privacy-oriented webmail services provide end-to-end encryption, making communications safe in transit and at rest. Our findings affect their web clients, where the messages are decrypted, mobile clients were not affected.

  • The vulnerabilities would have allowed attackers to steal emails and impersonate victims if they interacted with malicious messages. Nearly 70 million users were at risk on Proton Mail alone.

  • The issue has been fixed and there are no signs of in-the-wild exploitation.

  • Objects in Space@infosec.pubEnglish
    26·
    1 年前

    Discovered, reported and fixed shortly after. The headline is catchy but the article is more about the process of how it all went down last year.

    Also found this noteworthy:

    “We would like to thank the Proton Mail team for their fast and professional handling of our report. They also awarded us with a $750 USD bug bounty, which we happily donated to charity.”

    • d_cent@lemm.ee
      9·
      1 年前

      Well said. Not to mention the article title calls out Proton but it’s basically all the noteworthy e2ee email products. Very click baity