ProtonMail Vulnerability : Bypassing Invitation

ProtonMail is a secure encrypted email provider, which runs a “zero access” PGP mail service based in Switzerland. (Read More)

Since, ProtonMail doesn’t allow direct signup and they only accept the user through the invitation.
I had also signed up for ProtonMail to see the UI and all the things & go their invitation. I checked for some vulnerabilities and couldn’t find anything from the inside. Then I suddenly went through the invitation link which I was registered.

The first thing I notice was that INVITATION LINK never get expired.

Here’s mine : https://protonmail.ch/pre-invite/lamgade/37e81f840d77ca25de42191c2ddfe044

So, I thought of registering the new account again but still I was unable to registered as the username : lamgade was already registered then.

I went to the source code and found there was a field :

< input id=”username” tabindex=”1″ name=”UserName” readonly=”readonly” required=”” type=”text” value=”lamgade” placeholder=”Username” />

So, I just changed the value to any other username and made a request then I was able to register a new email account.

Then after finding this issue, I started making multiple emails for myself and for other friend.

And only , I reported the bug 😀 to the ProtonMail Security Team.

Since, It was only a Beta Version of a ProtonMail so they didn’t release any bug bounty but they send me two Official ProtonMail T-Shirt which still haven’t yet shipped.

I have even made a Video POC :

(Note : This issue was reported back in December, 2014 and has been patched now. I was busy with other stuff so I didn’t make it out at a time so  I am posting now. 🙂 )