Update about reported XSS issue

A couple of days ago, a video was circulated online that claimed ProtonMail is susceptible to a XSS (cross site scripting) issue which raised some concerns among ProtonMail users. We want to clarify that this does not impact the current version of ProtonMail.

XSS issue

ProtonMail is constantly making security improvements through our beta process and we appreciate all the assistance we have received from the community in helping us make ProtonMail better. The concept of encrypting on the client side is a relatively new one and comes with its own security challenges which we are working diligently to tackle.

The ProtonMail security team has reviewed the video and confirmed that this particular security issue is not present on the live version of ProtonMail. The video is showing an earlier development version of ProtonMail that was originally released on May 10th, 2014 for limited testing, and is not used in the current production systems.

We are supportive of all efforts to improve the security of ProtonMail and appreciative of our security contributors. Security inquiries can always be directed to security@protonmail.ch

About the Author


We are scientists, engineers, and developers drawn together by a shared vision of protecting civil liberties online. Ensuring online privacy and security are core values for the ProtonMail team, and we strive daily to protect your rights online.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

4 comments on “Update about reported XSS issue

  • I absolutely love this website, feels good knowing I can send emails to others without them being read by a computer algorithm by the NSA…

    Also, when I saw this video, I instantly knew it wouldn’t effect the current website, since this is such an easy attack to perform, there’s no way a team of security oriented website owners would let something as simple as this slip passed their grips.