Hacker News new | past | comments | ask | show | jobs | submit login

My name is on https://protonmail.ch/blog/protonmail-security-contributors/ because I reported a critical XSS vulnerability to them when they were previously mentioned on here.

All you needed to do was send an email which contained a From header with script embedded in the name part:

  From: "<script>Do evil</script>" <address@example.com>
All I did to find this vulnerability was sign up for an account and then plonk the email address they gave me into https://emailprivacytester.com/ (of which I am the author)

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact