Protonmail Honeypot?

submitted by raven9 from self.conspiracy

https://proton.me/news/security-audit-all-proton-apps?utm_campaign=ww-en-2a-generic-coms_email-g_eng-newsletter&utm_source=proton_users_mail&utm_medium=email&utm_content=2022_-_ma

There is some real bullshit.

Protonmail claimed to have had a full security audit on all their apps and they claim they all passed yet there is a glaring security fault in their Android Protonmail app that has existed for years, that I have reported to them THREE TIMES and has persisted through every version update of the app.

If you use Protonmail on Android you can easily verify this security fault.

Go to settings - Account Settings - Privacy

Turn on "Prevent Taking Screenshots".

This setting prevents the Android app manager, and any third party apps from taking screen captures of the decrypted inbox and emails while the user is reading them which is a good security measure right?

So now log out of Protonmail.

Now log back in and again go to settings - Account Settings - Privacy.

You see the setting you previously turned on to prevent screenshots is now turned off!

This is the only setting that resets back to off every time you log out. It gives no warning of that. All the other settings are persistant. So the average user who turned on screenshot protection is gonna assume it stayed like that right? He will believe his decrypted email is protected from screen captures thereafter when in fact it is not.

So how can a professional security audit not notice this obvious security flaw? Anyone who examined the code should surely see there is something different about that setting? If they could miss something as glaringly obvious as a security setting that does not stay set then how can anyone trust they did not miss more subtle flaws that could compromise encryption keys and passwords?

I strongly suspect this is deliberate. It allows Google to capture images of the inbox and their users decrypted email while the user reads it.

all 13 comments
sorted by:
top
newinsightfulfun

[–][deleted] 8 insightful - 2 fun8 insightful - 1 fun9 insightful - 2 fun -  (1 child)

Protonmail also will not let you register for an account while you are on tor or even a VPN, im with you on honeypot

[–]Jesus 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Hiw about mullvard?

[–]Anman 4 insightful - 2 fun4 insightful - 1 fun5 insightful - 2 fun -  (2 children)

I dont remember the details, but proton mail was ousted like 5 years ago. Something big came up and anyone still using it was retarded.

I cant remember why, but I probably can't remember because I dont care enough.

[–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Maybe safe-mail.net is better? Who knows though.

[–]Anman 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

I've had my own email host for 16 years, so this is why I don't care enough and can't offer advice. Other than; don't rely on someone else to do something important for you.

I think the proton mail thing may have had something to do with israel or something.

[–]NuclearBadger 4 insightful - 1 fun4 insightful - 0 fun5 insightful - 1 fun -  (0 children)

Don't use apps for anything personal.

[–]Drewski 3 insightful - 2 fun3 insightful - 1 fun4 insightful - 2 fun -  (0 children)

Could just be a legitimate bug, but you're not the first to suggest Proton is a honeypot. If you're on Android you should be using a de-googled OS anyways like GrapheneOS or DivestOS.

As far as email goes, my practice is to assume everything is insecure unless you're encrypting it yourself.

[–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

Agreed, seems deliberate. Thank you for the warning.

[–]brimshae 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (1 child)

It's great that you think that turning off that setting will keep your phone from silently spying on you. I'll even use the word "quaint".

[–]raven9[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

Not as quaint as you believing I think that.

If you were even half as smart as you think you are you would realize I know exactly what they are up to and so I want everyone else to know that too because when everyone thinks these compromised providers really care about their privacy, they get complacent.

[–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

K

[–]Tigerbitecrazy 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

Just did what you described exactly (turn on screenshot blocker, log out, log in) and it stayed on for me.

Using android with app and OS updated.

Not trying to say you're wrong but this didn't happen to me.

::shrugs::

Uninstall and reinstall?

[–]raven9[S] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

I checked it multiple times over the years and I even downloaded and installed the latest version of the app yesterday just to see if they fixed that yet or not but it still turned that setting back off when I logged out.