
Does ProtonMail have a major security flaw? - neltnerb
http://neltnerb.tumblr.com/post/153577347711/does-protonmail-have-a-major-security-flaw
======
neltnerb
Well, I won't go so far as to say that I found the issue, but I have found
that through some mysterious set of conditions somehow my laptop learned my
mailbox passphrase. I use lastpass, but lastpass doesn't have a record in the
database with it (I would never intentionally have it save such a passphrase).
I disable browser password saving on any system I use. I've only ever typed
that passphrase on the protonmail website to decrypt my mailbox.

This is very strange. If I tell lastpass to autofill the password on the
mailbox decryption page, the password fails. But somehow it starts out filled
in with the correct one. Honestly totally at a loss, but probably not an issue
with ProtonMail and more likely some accidental thing I must have done to put
it into memory. No clue what I did wrong.

------
xxdesmus
Can't duplicate the steps they mentioned. Only my mailbox decryption password
actually works to decrypt my mailbox.

~~~
neltnerb
Thanks! OP here, I'm not sure what the deal is.

I just created my account last week, I wonder if they made some change to the
key generation algorithm... I wish I knew enough cryptography to guess what
could be going on. How can two passphrases both work unless they both happen
to hash to the same value?

I literally had never yet typed the mailbox passphrase on this computer and
somehow didn't need to in order to log in. I submitted a note to their
security email address, but I'm really confused/concerned that something is
up.

