The Sonar Research team discovered critical code vulnerabilities in multiple encrypted email solutions, including Proton Mail, Skiff, and Tutanota. The vulnerabilities were found in the web clients of these services, which allowed attackers to steal emails and impersonate victims if they interacted with malicious messages. The team found a Cross-Site Scripting (XSS) vulnerability in Skiff's web client that made it possible for attackers to bypass the service's sanitization process and insert arbitrary HTML into the page. This vulnerability was exploited by sending an email with an attachment that caused a blob URL to be created, which was then used to send a follow-up email with a link that opened the blob URL in a new tab, allowing the attacker to bypass the Content Security Policy (CSP) and execute arbitrary JavaScript in the context of the Skiff web application. The vulnerability was fixed by moving the sanitizer pass after all modifications to ensure the final HTML is safe, and the team provided recommendations for avoiding similar issues in code, including sanitizing on the client instead of the server, using state-of-the-art sanitizers, and not modifying data after sanitization.