Proton Exploit -

If successful, the script would run in the victim's session, allowing the attacker to "see" what the user sees—effectively stealing the decrypted content of their inbox. Proton's Response and Resolution

Proton Mail XSS Vulnerability: A Deep Dive into the 2022 Exploit Proton Exploit

This incident serves as a reminder that no system is 100% secure, but active collaboration with the security community—often incentivized by Proton's Bug Bounty Program —is essential for maintaining privacy. To stay secure, users should: If successful, the script would run in the

Proton maintained its commitment to security through its Responsible Vulnerability Disclosure Policy . In most scenarios, the attack only worked if

In most scenarios, the attack only worked if the victim viewed both emails and clicked a specific link in the second one.

In June 2022, security researchers from SonarSource discovered a critical Cross-Site Scripting (XSS) vulnerability in the open-source code of Proton Mail. This flaw could have allowed attackers to bypass end-to-end encryption to steal decrypted emails and impersonate victims. The Discovery

The vulnerability was strictly limited to the web interface; non-web Proton Mail apps (iOS/Android) were never affected. Protecting Your Data