In June 2022, security researchers from SonarSource discovered a critical Cross-Site Scripting (XSS) vulnerability in the open-source code of Proton Mail. This flaw could have allowed attackers to bypass end-to-end encryption to steal decrypted emails and impersonate victims. The Discovery
This incident serves as a reminder that no system is 100% secure, but active collaboration with the security community—often incentivized by Proton's Bug Bounty Program —is essential for maintaining privacy. To stay secure, users should:
The vulnerability was strictly limited to the web interface; non-web Proton Mail apps (iOS/Android) were never affected. Protecting Your Data Proton Exploit
Ensure you are using the latest version of any Proton applications.
Analysis of spam and virus filter logs showed no evidence of the exploit being used in the wild by malicious actors. To stay secure, users should: The vulnerability was
The attack required a specific sequence of actions to succeed, which limited its real-world viability:
When possible, use native desktop or mobile apps which often have different attack surfaces than web-based versions. If you'd like to refine this draft, tell me if you want to: The attack required a specific sequence of actions
If successful, the script would run in the victim's session, allowing the attacker to "see" what the user sees—effectively stealing the decrypted content of their inbox. Proton's Response and Resolution