A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service.
These vulnerabilities posed a significant risk to the privacy and confidentiality of Proton Mail users, highlighting the importance of robust code security in safeguarding sensitive communications.
The discovered vulnerabilities centered around Proton Mail’s web client, where messages are decrypted for users.
While Proton Mail employs robust end-to-end encryption for securing communications in transit and at rest, these vulnerabilities exposed a potential weak point in the security chain.
Specifically, the vulnerabilities could have been exploited to steal decrypted emails and impersonate users.
The Attack Scenario:
To execute an attack, threat actors must trick Proton Mail users into interacting with maliciously crafted messages.
The attack typically required victims to view or click on links within these messages. While it was possible for the attack to succeed with just message views, the most effective scenarios involved users clicking on a link within a follow-up email.
The SonarSource Research team responsibly disclosed these vulnerabilities to Proton Mail in June 2022, prompting swift action from the vendor.
SonarSource offers a range of code quality and security solutions designed to identify issues related to maintainability, reliability, and vulnerability in code. These solutions support 27 programming languages.
Proton Mail promptly addressed the issues and implemented fixes to fortify its security posture. This proactive response prevented any known exploitation of the vulnerabilities.
“We responsibly disclosed the vulnerabilities to the vendor in June 2022, and they were fixed shortly after.”
The vulnerabilities revolved around Cross-Site Scripting (XSS) risks, a common security concern when dealing with user-controlled HTML in web applications.
Despite Proton Mail’s use of a state-of-the-art HTML sanitizer, DOMPurify subtle code intricacies allowed attackers to bypass security measures and manipulate the rendering of content.
The vulnerabilities were associated with SVG elements in emails, which allowed attackers to inject malicious code due to differences in parsing rules between HTML and SVG.
Had these vulnerabilities been successfully exploited, attackers could have accessed decrypted emails, private keys, and even de-anonymized users.
Such a compromise would have allowed attackers to impersonate victims and potentially steal cryptographic keys, posing a severe threat to Proton Mail’s security-conscious user base.
Patch and Prevention:
Proton Mail’s approach to mitigating these vulnerabilities involved removing SVG support from its service entirely. This measure addressed the specific vulnerabilities and reduced the attack surface, enhancing overall security.
To prevent similar vulnerabilities in your own code, SonarSource recommends the following:
- Avoid modifying data after sanitization.
- If possible, refrain from re-parsing HTML after sanitization.
- Employ state-of-the-art sanitization techniques such as DOMPurify.
- Stay updated with security practices and use secure coding guidelines to minimize risks.
Proton Mail’s prompt response and the Sonar Research team’s diligent investigation demonstrate the importance of proactive security measures in maintaining the integrity and privacy of sensitive communications.