An attacker would need to send two carefully crafted emails to the target.
In June 2022, security researchers from SonarSource discovered a critical Cross-Site Scripting (XSS) vulnerability in the open-source code of Proton Mail. This flaw could have allowed attackers to bypass end-to-end encryption to steal decrypted emails and impersonate victims. The Discovery Proton Exploit
Avoid clicking unexpected links in emails, even from seemingly secure providers. An attacker would need to send two carefully
Shift the tone (e.g., for developers or simpler for general users). The Discovery Avoid clicking unexpected links in emails,
The Sonar Research team identified the vulnerability during a routine audit of Proton's open-source repositories. The issue stemmed from how the web application handled user-controlled HTML. While senders need the ability to style messages, failing to properly sanitize certain tags can allow malicious tags to execute in a reader's browser. How the Exploit Worked
The vulnerability was strictly limited to the web interface; non-web Proton Mail apps (iOS/Android) were never affected. Protecting Your Data
Ensure you are using the latest version of any Proton applications.