ProtonMail: End-to-end encrypted email

[flym4n]

It appears they silently closed a critical vulnerability recently [0]

[0] https://twitter.com/StackSmashing/status/474214532114812928

[mike-cardwell]

My name is on https://protonmail.ch/blog/protonmail-security-contributors/ because I reported a critical XSS vulnerability to them when they were previously mentioned on here.

All you needed to do was send an email which contained a From header with script embedded in the name part:

  From: "<script>Do evil</script>" <address@example.com>

All I did to find this vulnerability was sign up for an account and then plonk the email address they gave me into https://emailprivacytester.com/ (of which I am the author)