If successful, the script would run in the victim's session, allowing the attacker to "see" what the user sees—effectively stealing the decrypted content of their inbox. Proton's Response and Resolution
The vulnerability was strictly limited to the web interface; non-web Proton Mail apps (iOS/Android) were never affected. Protecting Your Data Proton Exploit
After researchers disclosed the bug in June 2022, Proton developed and deployed a fix by early July 2022. If successful, the script would run in the
In June 2022, security researchers from SonarSource discovered a critical Cross-Site Scripting (XSS) vulnerability in the open-source code of Proton Mail. This flaw could have allowed attackers to bypass end-to-end encryption to steal decrypted emails and impersonate victims. The Discovery In June 2022
Proton Mail XSS Vulnerability: A Deep Dive into the 2022 Exploit
Proton maintained its commitment to security through its Responsible Vulnerability Disclosure Policy .