Protonmail XSS — Stored

Hello Everyone,

It’s my first blog post related to my bug bounty work so many people are sharing there findings so I’m also try to write something.

I’m not professional in writing these type of stuff so there are many mistakes you can see in this post, so without waisting your time to read my bad english , i would like to share my finding’s.

It’s Series of Vulnerability which i found in the Protonmail Web app and also IOS app, and only publishing two now related to Protonmail.

#1 Vulnerability

Brute Force Attack on 10 Digit Code to Hijack any User Account

I searched on internet for bug bounty website’s and i found Protonmail, before that i have not heard about that email service name. So i try , what i can do with protonmail.

I just signed-up the service and checking there password reset functionality related to IDOR attacks but nothing found but i notice that they are sending the 10 Digit code to reset the password !

Proof of Concept for Brute force attack :

Protonmail (1)

#2 Vulnerability

Stored XSS in Email Inbox

It was interesting finding one of mine in the email service which is Stored XSS in protonmail, and it’s very easy to exploit to another user just by sending the email.

Steps to Reproduce the issue :

From Attacker Account :

  1. Compose a email to any protonmaail user with Subject
#”><img src=x onerror=prompt(1);>

2. Send email to victim

From Victim Account :

3. open email message from victim email click on reply

4. XSS executed ! :)

Proof of Concept :

Protonmail XSS

I found many other bugs in Protonmail and many other XSS and Recently XSS in IOS App . Soon i will write on this.

Thanks for the Protonmail Team they fix these issue quickly and they are very responsible person and awarded the bounty according to there Program :)

Thanks for Reading, Hope you liked it !