German startup Tutanota has admitted its webmail service was vulnerable to a cross-site scripting bug despite boasting it offered an "NSA-proof email service."

The flaw, which would have allowed attackers to inject malicious JavaScript into victims' browsers, was uncovered and reported last night by German security researcher Thomas Roth. That's the same researcher who uncovered a similarly severe flaw in rival ProtonMail service. Both websites perform message encryption and decryption in the browser, keeping the crypto keys in the hands of the users rather than the providers (and governments).

Tutanota confirmed it had fixed the XSS hole in an advisory today that sought to play down the significance of the flaw:

It was a possible cross-site-scripting attack when forwarding an email. The issue has already been fixed. The attack worked as follows: When forwarding an email, the subject was embedded in the body of the new email unsanitized. This made it theoretically possible for attackers to manipulate the subject upon sending an email to a Tutanota email address. Then the attacker had to trick the user into forwarding this email. This way he would have had the opportunity to execute JavaScript code in the context of the web application.

Earlier this week, prior to Roth's discovery, Tutanota told The Register it had run an "extensive penetration test" during which cross-site scripting attacks were attempted. These tests [results PDF] were carried out by Syss GmbH, which was unable to turn up any problems.

"Cross site scripting attacks are prevented by a sanitizer which filters embedded scripts from the emails sent and received via Tutanota," the secure email startup assured us before Roth's XSS bug was found this week. "This sanitizer was active since Tutanota was published."

"During the penetration test cross site scripting attacks were executed, but no vulnerability found," it added.

Of course, it's entirely possible for one researcher to find flaws that others miss. However, Roth unearthed the vuln minutes after he started investigating the security of Tutanota. The German biz patched the bug within a day of being alerted to the vulnerability.

Cofounder and developer of Tutanota Arne Möhle said: “If a serious security vulnerability is discovered, we would rather shut down our service until the vulnerability is eliminated.”

The discovered subject-line vulnerability in Tutanota is "not as obvious as the ProtonMail [XSS] and relies on a small user interaction," Roth told El Reg.

He said his discovery nonetheless proves Tutanota's "XSS is not possible" claim is foolhardy even "though [Tutanota] really tries and does a much, much better job in that regard than ProtonMail."

"Obviously I did not conduct a real penetration test or anything, just a very quick look. Reviewing their cryptography would require more work," he added.

Tutanota, which offers end-to-end encryption of messages, launched a freebie product aimed at ordinary netizens on 2 July. The announcement was tainted by the usual "NSA-proof" hype, but it was able to reveal its cryptography:

Tutanota encrypts locally in the browser with a standardized, hybrid method consisting of a symmetrical and an asymmetrical key with RSA 2048 Bit and AES 128 Bit. This encryption process takes place automatically between Tutanota users. If a Tutanota user sends an encrypted email to an external recipient, the email is encrypted with AES 128 Bit with the help of a password exchange. Subject, content and attachments are automatically encrypted. The recipient can also answer directly with an encrypted email.

The firm was founded as a spin-off from the L3S Research Center at Leibniz University Hanover in 2012 by three former students. Tutanota is hoping to make money by offering a premium version of its secure email service featuring additional storage and more functionally, making it attractive to businesses.

Tutanota Starter, which is pitched at corporate IT, is an Outlook Addin that encrypts emails directly in Outlook.

The technology has not been subjected to peer review by cryptographers; the sort of people who uncovered flaws in Lavabit, which even Edward Snowden trusted (at least up to a point).

End-to-end encrypted webmail in the browser is a difficult problem to crack. Tutanota is far from the first to come unstuck despite confident claims to the contrary beforehand. Lavabit, ProtonMail, Hushmail et al have all had to backtrack on their respective security claims for one reason or another.

Tutanota claimed it was still ahead of its rivals because it refuses to touch users' unencrypted messages.

"It seems like services like Lavabit and Hushmail had some type of access to the plain text mails, e.g. because the user password was sent to the server," a Tutanota spokesman told El Reg.

"With Tutanota we can not get access to the user's private key because it is stored encrypted on the server. It is encrypted with the user's password and that password is never sent to the server. Decryption of the user's private key takes place on the client."

Without speaking specifically about Tutanota, Roth outlined the general problem many secure mail services face in living up to their lofty promises.

"The problems that generally all installation-less 'secure mailers' have persists though: if the server is hacked it can just send over malicious JavaScript to get the password and/or e-mail contents from the user," he told El Reg. ®