How to accidentally find a XSS in ProtonMail iOS app

A lot of things happen without intention. So it came that I discovered a XSS vulnerability in an iOS app.

While doing some research on a BugCrowd program I’ve certanly also tried to find one or another XSS or injection vulnerability and changed account names and personal details within my reseracher account to XSS strings. Without big success so far.

Couple of days later the service I was testing on sent out an email like “Hey, how do you like our service?”. I was about to delete it in my ProtonMail web mail interface but eventually forgot about it.

A day later I’ve cleaned up my ProtonMail inbox on my iPhone and saw something strange:

What did I just see? XSS JS popup on iPhone? No way!

Next day, while this popup didn’t let me sleep (okay, littly baby was keeping me awake but that made me think about it more and more), I was checking the source in web mail and there was nothing. Also the popup was not there.

Need to dig deeper… as mostly all mail clients filter out script parts in new emails, it has be done manually. So let’s write some script in Powershell (yeah, something new to me so I did it for learning):

$smtp = "mymailserver" 
$to = "myproton@mailaccou.nt" 
$from = "" 
$subject = "foobar"

$body = "<html><head>"
$body += "<title>test</title></head>"
$body += "test`">`'><i>I</script><script>alert(1)</script>testscript</i>"
$body += "</body></html>"

send-MailMessage -SmtpServer $smtp -To $to -From $from -Subject $subject -Body $body -BodyAsHtml

And yep… here we go again. Popup is back.

So ProtonMail app on iOS is not filtering out the <script> tag.

As I did not find any way to compromise my own user data but still thought this is something ProtonMail should know about, I sent a bug report which was accepted event when the vulnerability was already known. Bug was fixed within 24h and a new app update released! WOW! By the way, Android was not vulnerable.

So what could have been done with this XSS? Well as it was not able to access ProtonMail data on the phone it still could have been used for phishing or maybe downloading malicious code to the phone.

Since ever then, I’ve tested all my other mail apps for similar vulns but did not find any more so far.

Kudos to ProtonMail for their friendly and appreciative communication.

Conclusion? Uhm… never trust Klingons? 🙂