API tools faq
paste
Advertisement
cephurs

Protonmail Hacked

cephurs
Nov 16th, 2018
1,428
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.72 KB | None | 0 0
raw download clone embed print report
  1. -----BEGIN PGP SIGNED MESSAGE-----
  2. Hash: SHA256
  3.  
  4. Short Summary: We hacked Protonmail and have a significant amount of their data from the past few months.  We are offering it back to Protonmail for a small fee, if they decline then we will publish or sell user data to the world.
  5. Long Explanation: While Protonmail's open-source code can be freely audited on Github, they haven't configured the mandatory SRI feature (https://www.w3.org/TR/SRI/). This leaves users without any guarantee about their source code integrity, thus allowing tampering and data collection at anytime. This will be totally transparent and unnoticed, because without enabling SRI all the users should inspect the website runtime code and its connections manually in the same moment they're being tampered with by Protonmail to discover it. Furthermore this requires spending a lot of time and advanced knowledge.  With this being clarified, we have proven and recorded that Protonmail intentionally manipulated their source code to reveal users decryption keys (private keys) by collecting their password. Protonmail abuses the lack of SRI technology to serve a modified version of their code that allows full data collection and decryption of their users content.  We haven't found the exact pattern that triggers this (probably by targeting IP ranges or just randomly to collect everybody's password), but again, we have proven and recorded this happens.
  6. After proving Protonmail knowingly permits misconfiguration to maliciously target users we decided to deploy our full capabilities against them.  We began with months of dedicated penetration testing, we asked assistance from other organizations and deployed unreleased 0-days.  Although arduous we successfully installed a permanent backdoor on their major machines without Protonmail’s knowledge, bypassing their detection mechanisms. Once we obtained that access we took advantage of their misconfiguration and collected passwords from a large percentage of active accounts that accessed Protonmail during that period.
  7. After that we were running a modified and automatized version of their webclient on our end, where we fetched, processed and stored email messages from those affected users in a huge database of our own, thus having significant useful information from many different individuals and companies.
  8. If you have used Protonmail in the past several months it is probable we have your Username/Password and your decrypted emails recorded on our own private server. We also have names, addresses (If entered), contact lists, IP addresses, and much more.  We would not have been able to do this if Protonmail did not deliberately mis-configure their code to harm their own users.
  9. Incidentally during this period we noticed that Protonmail sends decrypted user data to American servers frequently.  This may be due to the Swiss MLAT treaty requiring swiss companies reveal all their data to the Americans.  However it also might be possible they are sending this decrypted user data to the American firm that owns them.  This was simply a surprising thing to note but did not significantly influence our operation.  
  10. After we obtained significant user data from Protonmail we removed our permanent backdoor for our own security. However we will publish recordings showing our defeat of Protonmail’s defenses and using their intentional misconfiguration to tamper with their source-code.
  11. We successfully fully compromised Protonmail and notified them privately of our operation.  We also requested a small financial reward in return for their users data.  
  12. Protonmail compromises their users data without their knowledge and charges each user a monthly subscription fee.  Therefore we felt morally justified compromising Protonmail’s data without their knowledge and charging them a fee for it’s return.  We all worked hard to accomplish this, incurred costs and felt this was reasonable. However they declined and ignored further discussion.  This seems to match their historical tendency to disparage researchers not at their own perceived high educational status.  
  13. After we send this email to the Media we again ask Protonmail to pay a small fee to have their user data returned to them. We have exposed their malfeasance to the world and the attention of their users is toward them. We will give Protonmail until 23 November at 12:00 UTC to pay the fee, guaranteeing safe deletion and exploit descriptions released to them in private.  If given a choice we would not like to cause discomfort to regular people caught in this disagreement.  
  14. If they decline again we will distribute as indicated in both #1 and #2 below:
  15. #1 Freely send media outlets the below information:
  16. - - - - - - - -Data Group One: Decrypted emails between individuals working for private military contractors discussing government contracts.  Specific details regarding circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica.  We have no way to validate this information but we do have these users information and all the details they use when describing their activities to their acquaintances
  17. - - - - - - - -Data Group Two:  Conversations revealing rampant pedophilia among executives and the affluent who use Protonmail as their personal email.  Including full names and descriptions of their wrongdoings in their own words.  Prominent individuals to be named in many corporations and government positions.  
  18. #2 Sold in bulk to the highest bidder on the darknet:  
  19. 1. All decrypted Protonmail customer data collected during the period we compromised their source code. Including plain text emails, attachments, full names, social media connections and IP addresses. It’s possible we will not do this, instead selling email groups by topic.
  20. Historically it seems Protonmail makes unkind statements toward upstanding  organizations like my own.  If this happens we will gladly release “data group two” to the general public.  
  21. In closing we wanted to express our desire to all Protonmail users that none of your data will be misused in any way if Protonmail cooperates.  We understand that it may be difficult to gain peoples trust in this regard due to the manner in which we came into possession of their Data.  All we can do is humbly offer our assurance that everything we have will be completely destroyed and never resurface again.  It seems like in this age honor is dead however we will be honorable regarding this and our future actions will prove it.
  22. Deadline 23 November 12:00 UTC
  23. AmFearLiathMor
  24. [email protected]
  25.  
  26. ADDITIONALLY FOR SALE:
  27. 1. Non-Disclosed 0-Days. We are happy to discuss sale, but we will not release them to you until after we are done dealing with protonmail
  28. 2. Our services and connections
  29. - - -
  30. -----BEGIN PGP SIGNATURE-----
  31.  
  32. iQIzBAEBCAAdFiEEKv8hb5r+/k39o6RSvDpnUscGhvEFAlvuW9gACgkQvDpnUscG
  33. hvEvEhAApMTw3ImXGjmHSgAFI3Fe/c07JJGuW3FD96upnLKMqPHs3IM4ktPN6/ko
  34. B9uhTEsYWR0/3fwg1k5c5LsZjHL40xNPKswSQr/xw/KHy9lNkWUBBJ2c1PYW4yj8
  35. 8yI4QEXbTsCi+hKwcI6UpsE0DfWbHpepUQt1bWTJscC32i29+LJEccokjiYAvDyH
  36. +ukv6rPyFh5L9EZEQYtODO7HxnQOs0VgRIkhaC5qvx8N3udNPjRwsHgGw1PPY+io
  37. Pg85dtq+bPZjosy1frEH4bVtLoHTL6/cMdS1TYXVUa6X36Uxvv7ur/ZaZfuHR7zK
  38. rK0JGxJ19MnHD/e3707Kb97pB+cTighEvbbJ2yPpB1bsk7wsYOuJ2vnJwQZK2MK7
  39. 9NwBDyeuY5+OGP8fz5G+BD/+39iQifuBso9zMphZHKgO63oa1LE6hhHs3E4cP3/p
  40. BXW/wN8w62IEcTuxz2jtTuxTpNXIkjJbZM6DZawLleBTTVqYSfVfpZiYxruiBeYx
  41. A55ZW1tKQs6eeZkXgkdsniP2JeETSlKAHhHPoytunJZLEH+HuUHw5LP2L0lIfF5k
  42. rj26Xo7AUPfseRnzl7cDyBaIt+EP/0VP+ejtAl6+i5+JXpHIXwA+R9O91l1gCg9a
  43. bC3+6OnBPZxIBC7luG1tRrqWcH82xf3dsRndRr0vE5G6phgZefc=
  44. =43DN
  45. -----END PGP SIGNATURE-----
  46.  
  47.  
  48. -----BEGIN PGP PUBLIC KEY BLOCK-----
  49.  
  50. mQINBFvtA2QBEACocqKKYdGE73V7RevyRfEF3ue+LZduFJkv9fPWmieDFBBR2hAb
  51. PTWq37UNnfSlGL9QkCgl2C3aGDLiwJxIocaHAGfQ10ctnr687iZNAa/PeQ6jHR9s
  52. zoXb7UBkjiNz1kBN+SJU0Hi6or159TrirdKiioaVD04TmeLQu7taNrzXPpITg0pF
  53. O8DBssm7OxHCx1K+5dIYfu0Z24S26SLeLh0lyqtXN0PT62nd6rAErwdEt56znJuA
  54. F46zD6qdTuYKlSUGxQCR8TJrDj6p566BCo8cK7GIk6mB6mBEm5TWBhjqBqGkgYz4
  55. xZwQ4VUR4bLuOOvT91CQuPIYvaRF5mszIxtdvSv47ij8idkNdAfA133IbkFaOkU3
  56. GlM2o2Bh3/5krGJ5sD0GqVHcXv87INqyOOwN7zIFWCx3K/U8e4WhBCamtKF/XjbI
  57. pEaQ6zjN788EMo/T6w24Txhji2nO/DAUMi5k9MzfrXA35BGoWLF62KIxzpiQvL+P
  58. NDRKt+Fwa9xPbJBeyDsUqp2g0LwGO1W1YL6sX2L2Yjk1T9BvN33w+jYD70oivIcF
  59. hBkwdyFd7lsYD0ODRSWkwUaHNn4qcQYSG4CdFHA2BNgFtYXQIh8jYYmy3WFjiYDN
  60. A6vj+P4fHtwMXt9cDd74IJAl1LsQRVN7Ostr4QZvDgoaB9FK80RAedPOLQARAQAB
  61. tCxBbUZlYXJMaWF0aE1vciA8QW1GZWFyTGlhdGhNb3JAbm8tcmVwbHkuY29tPokC
  62. TgQTAQgAOBYhBCr/IW+a/v5N/aOkUrw6Z1LHBobxBQJb7QNkAhsjBQsJCAcCBhUI
  63. CQoLAgQWAgMBAh4BAheAAAoJELw6Z1LHBobxWjkQAJSHdPo1Ksx2kf0VqGjuQmjc
  64. eLTSjsWbT/k88VeeNtwnWjWoYy7TuGDNsPkC+jAcItCixgFfNDySe7L1rQmdAlN/
  65. bQgmjtV1mGq/fQliTWUbuzVYaYJwTBv1sDery2vzQD4G4GcDKfNMfsUVfp0UlwB0
  66. rZZA4jmoo/58F5LETr4NzYQVwUCMfCUDmoMCcVCxjoKCdueR0MIRjl53RDpoh9+n
  67. yZwhWvU4P8vtxNKxJGXQAVwH8ARV0xAH3zbMtZB8RXoKi2369PTO6Pvqjf8p4YOS
  68. SX1vZT6fLrf5jin6VxULluxR8FDvqQaCelQH7WGWLJksZhYC/wv+h0EtIXrGJMSQ
  69. 1dwjkdvWSvEWCDWyGn/XuHlJK/lkkOMtcBv/v1D5LuuKUVRtsVQs/ujOoaRpXND2
  70. mxEvb8BvOkvnKdmNqp+y6cy1TSk0G381Yder/3sIqw1IrZe1N3w9z30RXCH3MB4C
  71. ljAD03/ja9YVwSp6Lp5JsBUiG0xM4/kKMTDSVhUj2ID14UutrcP4hx3HkYxUNdyS
  72. m9mHFpYk/ITCS0tQa10EL/IXpmcOAldt3hCcIbVok+pdlm5cQXDmGh9uOsamnMi3
  73. symoLOLalQv81kIi590WDzNI4WyYZSaHglfnG5Vuw8AeSPN4mpNgGOTGv+BOMeAW
  74. J4NZA1Ahd4NgHROkkW9EuQINBFvtA2QBEADnx4yEy2271RBb+aH1X3OQ/8rzY4lg
  75. Y36S8N7GbUMz4EYb0LxlFOARe5VWsox0CJrWifRF6ipS22qRaC/lF36EIZTfxzz+
  76. kMXMHuvBGKeSxyIyb2M9VuwUgib30mcs2yVBMYoC/qp2k3VYisBB+L3xrED+I56F
  77. 2GAaajZ/901rF7+91mHU4HsJ/3OtsXE+r/6U+B9Z9ohgnG4Y8CvtvFPOBq2QOup6
  78. PzCsSHucrJAPwN0Hcqbythf8WtEDDxiV/XCm7fzr11+t3pnAMy7FqQOKWyr8JF8h
  79. M16+CYH0Dw1ARj7fqiX9/FKHdcWk7qjKi4grS8i924o9f3FG+lZdMQF4ev8W39YR
  80. KMmUwJvGku2w6Ah5BJ8tv7n6HRP56AHCpE1aee6Q/80WgEym2BfdSn+D8B7iZGSX
  81. uOHKq/qUYstRbu6+Yg3FUJMFwg51gmmYDoaFL5WJC0y+i6bNPPbsBuHR2O89Aqoe
  82. g8eF59j23CoMrcwUharOyBdBnf7mflMbChJmX46Ayb7JJ0aEISRre+V2gxfZROXI
  83. i28ikW93fW9o+erbZBnfJndz/0DnszBg+/ZVg7v7uoOPLUOt9hIfrLdkVYKM6Fqu
  84. n1ufBtFWeC4aedBTjZls8yS1xHDsP5bNI8G5aUnQ3w+wqs7IfME0A+ESUQsHZmBn
  85. 547aJHSwG7g8MQARAQABiQI2BBgBCAAgFiEEKv8hb5r+/k39o6RSvDpnUscGhvEF
  86. AlvtA2QCGwwACgkQvDpnUscGhvF+/RAAiUL6h+Hlzp5Gb/OPO5Yqk9JMSttX9XKz
  87. wK/ytkxYQoXfRaRM9zUdFcX5avXoUD2m9vD5Ev8erYyP8UQpGaHEhT1dYgX+nMzT
  88. sVqAHMAGlVi9kuA47Azvji5zB/MrNErC8vxNxXBikuY3Zee61J3rWLtUdUKBjMpY
  89. TvyU1FbOpoO9wPmcN4D4k1JtcfRl744VtFwG0Mz2Q1nOB3cBq2KIxcGuhj9oH53c
  90. C1HikHTOajY0olxuVJbLB5DK+fhMSKW46UbqNUvyrHRo9M0E9gZKBbbI06SyxUCF
  91. cbUNjb+2FFM0IqPhZSyTAR15SoknEQnshfGGY3Mws18MAZop2hak9zsnsb2xPtNa
  92. n/CkLbCIjEWdtOrudFBxD+KeuAbpPUQt0VBTOYiFgbeGHExltwJovqYUIRi+2R0D
  93. o0bRxX5+prwis6QdEdQDw01F/PJSdAHXf5Ej4enRheoDT0wRdXJhTTGC/ZF/2JeH
  94. FwSKelMuqRNK5XUzMKc9Jw9ls5qzHtg8Nh8OnWSgMse4cv28f3YXcUWhrco0i7Te
  95. 7zml+moFs5nWTjVJnxhUkY8AuyIMnU4POg2L7ISeFf4QpkWnhsW85BhIqYL7ruaf
  96. jUBGz1ryDXozBGNYgcwQVJGKmgD5i4PrzwiFygSRsrm5scvtYN48G5fjkJQLQx/6
  97. SFeK6Yg85bw=
  98. =cYqN
  99. -----END PGP PUBLIC KEY BLOCK-----
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!