![]() ![]() Message composer leaks user's IP through a specially crafted 'mailto' linkĪpp leaks User's IP when checking Contacts. Remote content protection bypass while importing contacts from a VCF fileĭraft message composer leaks user's IP due to a React Re-Render Improper sanitization of Zendesk Key allows html injection. MacOS App - WireGuard/OpenVPN Extensions allow insecure XPC connections Windows App - Insecure WCF NetNamedPipeBindings allow local users to perform privileged operations Windows App - OpenVPN's Insecure Random SID leaks system uptime. My top priority was to find vulnerabilities that allowed to 'de-anonymize' users by leaking their IPs, which obviously is not necessarily a complete exposure, but within the context of Proton it poses a significant threat. The codebase I used dated back to late 2021 (November), and the scope also included the beta versions (server-side) of some of the services such as Proton Drive and Calendar. Although this time, I also spent some time creating the exploits and PoCs required by the program to verify the issues and testing their web endpoints. As I explained in similar posts, my preferred approach, when possible, is always static source code analysis, so in this case that was the main activity. In what seems a logical approach to keep up with their privacy claims, the client-side part of Proton's services and applications are available as open-source. ![]() Otherwise, you wouldn't locate your datacenter on a former military bunker. Obviously, this shouldn't come as a surprise for anyone, much less for Proton staff. Malicious actors, including adversarial nation-states, will keep trying to gain access to Proton's data for their own interests. These actors may not be natural adversaries of Switzerland (assuming this country has any), but the level of lawful collaboration provided by Proton may not be enough for them, or it is even 'non-convenient' to issue a legal requirement that may expose the operation to the individuals being investigated. 'Non-inherently-malicious' actors, backed with nation-state resources, may target Proton's infrastructure at some points that are not usually reachable for regular malicious actors. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |