ProtonMail is a secure encrypted email provider, which runs a “zero access” PGP mail service based in Switzerland. (Read More)
Since, ProtonMail doesn’t allow direct signup and they only accept the user through the invitation.
I had also signed up for ProtonMail to see the UI and all the things & go their invitation. I checked for some vulnerabilities and couldn’t find anything from the inside. Then I suddenly went through the invitation link which I was registered.
The first thing I notice was that INVITATION LINK never get expired.
Here’s mine : https://protonmail.ch/pre-invite/lamgade/37e81f840d77ca25de42191c2ddfe044
So, I thought of registering the new account again but still I was unable to registered as the username : lamgade was already registered then.
I went to the source code and found there was a field :
< input id=”username” tabindex=”1″ name=”UserName” readonly=”readonly” required=”” type=”text” value=”lamgade” placeholder=”Username” />
So, I just changed the value to any other username and made a request then I was able to register a new email account.
Then after finding this issue, I started making multiple emails for myself and for other friend.
And only , I reported the bug 😀 to the ProtonMail Security Team.
Since, It was only a Beta Version of a ProtonMail so they didn’t release any bug bounty but they send me two Official ProtonMail T-Shirt which still haven’t yet shipped.
I have even made a Video POC :
(Note : This issue was reported back in December, 2014 and has been patched now. I was busy with other stuff so I didn’t make it out at a time so I am posting now. 🙂 )
Good find ! 🙂 Keep it up !
Thanks bro 🙂 more issue still to come. 🙂