Remote Code Execution in Tutanota Desktop due to Code Flaw

The Sonar Research team discovered a critical code vulnerability in Tutanota's web-based clients, which could allow attackers to steal decrypted emails and impersonate victims. The vulnerability was caused by a parser differential between the browser and Linkify library used by Tutanota, allowing an attacker to inject arbitrary HTML into the DOM of the application. Additionally, attackers could bypass the Content Security Policy (CSP) by controlling a file on the file system and using inter-process communication (IPC) calls to download and run malicious executable files. The vulnerability was fixed within two days of being reported, and the Tutanota team implemented additional hardening measures to prevent similar vulnerabilities in the future. To avoid such issues in code, it is recommended to use client-side sanitization with a state-of-the-art sanitizer, not modify or re-parse HTML after sanitization, and implement proper security mechanisms such as CSP and IPC call blocking.