Privacy-oriented webmail providers like Proton Mail and Tutanota offer an easy way to secure communications. Even non-technical people can send end-to-end encrypted emails, which is especially useful for high-risk users such as journalists, whistleblowers, and political activists. However, end-to-end encryption becomes irrelevant when there are vulnerabilities in the client. That's why we had a closer look and found critical vulnerabilities in Proton Mail and Tutanota that could have been used to steal emails, impersonate victims, and in one case even execute code remotely!
This talk presents the technical details of these vulnerabilities. We will use two case studies to show how we found and exploited serious flaws with unconventional methods. Come and see an adventure about mXSS, parser differentials, and modern CSS coming to the rescue during exploitation.
Warning: may contain exploit demos and traces of popped calcs!
Paul Gerste (@pspaul95) is a Vulnerability Researcher in the Sonar R&D team. In the last few months, he has been hunting bugs in popular JavaScript and TypeScript applications, yielding critical vulnerabilities in projects such as Rocket.Chat, NodeBB, and Blitz.js. Paul has also been a CTF player and organizer for some years and loves to hack all web-related things.
Shweta Khare is a product marketing leader focused on Cisco Outshift’s cloud native application security portfolio. With a true passion for cybersecurity and expertise in developing strategic GTM frameworks, Shweta enjoys researching market dynamics, customer pain points, and emerging trends to ensure that products are positioned for success in competitive markets.
