protonmail

2 articles
sort: new top best
clear filter
bug-bounty480 google297 xss277 microsoft249 facebook211 rce159 apple150 exploit136 bragging-post102 account-takeover98 malware94 csrf84 cve79 privilege-escalation74 authentication-bypass65 stored-xss65 writeup61 reflected-xss57 browser54 react53 ssrf51 phishing50 dos50 input-validation49 cloudflare49 access-control49 cross-site-scripting48 node46 aws46 smart-contract45 docker45 sql-injection45 ethereum44 defi43 web-security43 web-application42 supply-chain42 oauth41 web339 burp-suite36 lfi34 vulnerability-disclosure34 idor34 html-injection33 smart-contract-vulnerability32 race-condition32 clickjacking31 reverse-engineering31 information-disclosure30 csp-bypass30
0 3/10
Protonmail XSS Stored
bug-bounty

Blog post describing two vulnerabilities found in Protonmail: a brute-force attack against a 10-digit password reset code for account hijacking, and a stored XSS vulnerability in the email inbox exploitable via malicious email subject lines. Both issues were reportedly patched by Protonmail.

stored-xss brute-force account-hijacking idor password-reset email-security protonmail bragging-post
Protonmail Chand Singh
medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · details
0 6/10
3 XSS in protonmail for iOS
vulnerability

Three XSS vulnerabilities discovered in ProtonMail for iOS: one via SVG onload in applewebdata origin, one via javascript URI requiring click interaction, and one via base64-encoded HTML embed in data origin. While XSSs do not allow email exfiltration, they enable JavaScript execution, privacy violations through tracking, phishing, and UXSS in privileged contexts.

xss cross-site-scripting protonmail ios dompurify vulnerability-disclosure email-security webkit applewebdata uxss payload-analysis
ProtonMail Vladimir Metnew DOMPurify Cure53 CVE-2016-1764 Anatoly Andy Yen Safiler
medium.com · devanshbatham/Awesome-Bugbounty-Writeups · 22 hours ago · details