I asked Proton support for information on the current status on the investigation into this memory safety issue. Here is the reply I received today:

Hello,

Thank you for reaching out to us!

Kindly note that there are unfortunately no updates regarding this. Our team is currently busy at the moment with other more prioritized matters, but they will hopefully take a closer look in the upcoming period.

Have a nice day!
Kind regards,

[removed name]
Customer Support
Proton VPN

Let's hope that "more prioritized matters" implies fixing other, and perhaps more serious, privacy and security issues. What's certain is that the public knows virtually nothing about their investigation into the issue – which was first reported to them at least 8 months ago. The bug might be related to this Go issue, which Mullvad seems to have already worked around. Not clear if Proton knows about this…

    fid02 I have to say it sounds as if somebody decided it doesn't matter and it's just sitting around.

    For example, have they reproduced it? If they haven't even done that then it's probably going nowhere.

    Who knows, maybe they have an LLM doing prioritization and it doesn't understand MTE because there aren't enough web pages about it yet.

    matchboxbananasynergy I continue to doubt that this has reached the development team. I might be wrong, however.

    Proton support sent me the following, on Sep 11:

    The Android development team is already aware of some crashes happening with WireGuard due to memory corruption, and they're actively being looked into.

    Unless they are not speaking truth, I have to assume that the sentence means it has, at some point, reached the ears of a development team. Although "some crashes" is vague enough to not aspire much confidence that the support team relayed my emails to the development team, it sounds like at least some memory corruption was being looked into at some point in the past.

    Extremely frustrating that a company heavily marketed towards privacy continue to not prioritize this (but at least we now have confirmation of that). Also does not inspire confidence that, with the exception of Proton Pass, all their apps have obvious incompatibilities when being run with memory tagging. A direct competitor has fixed a memory safety issue reported by a GrapheneOS user and is now running their Android app with memory tagging on GrapheneOS in order to debug further issues. That appears to be in stark contrast to what Proton is doing. I will be relaying the Go bug to them, then I will give up on their support team. Someone else is welcome to pick up the ball!

    Wishing you all a happy day.

    (And thank you for your patience with my expressed frustration!).

      • Edited

      Would it make sense to try complaining on their subreddit? "YOUR DEVICES MIGHT BE VULNERABLE BECAUSE OF PROTONS INACTION – memory-corruption bug reported months ago still unfixed" might make people panic a little and definitely not the kind of discourse you'd generally want, but if that's what's needed to get them to actually do something, maybe it's worth it?

        fxnn Well, for one, I personally don't like that part of the dark web. Secondly, I don't much believe in fear-inspiring headlines. If someone wrote a Reddit post, it might be beneficial with an attention-grabbing headline, sure, but I think an explanation of an issue should also illustrate the situation in a reasoned way (preferably without pressing the Caps Lock button), and not invoke imminent fear and uncertainty.

          fid02 Also does not inspire confidence that, with the exception of Proton Pass, all their apps have obvious incompatibilities when being run with memory tagging.

          Only Proton VPN and Wallet encounter an error when memory tagging is enabled. Mail, Calendar, Drive and Pass run perfectly fine with it enabled.

            ErnestThornhill Mail, Calendar, Drive

            Occasional sudden shutdown of the apps occur for me when I run them with memory tagging. Have also seen other users report this in the community chat rooms.

              ErnestThornhill But, perhaps you are running newer versions than I have, maybe beta versions? If so, it would of course be good news if the issues with those apps have been fixed.

                fid02 Nope. They've always worked fine for me in terms of memory tagging being enabled.

                fid02 I agree with you. Just to be clear: I didn't mean to actually write that, I meant it more as an exaggerated example. Well, let's just hope they fix it soon.

                fid02 aren't those apps basically PWAs?

                  a month later

                  In hindsight, I'm not sure why I went with the difficult (and, in the end, frustrating) approach of contacting Proton support instead of their security team or posting on the Github tracker. OneDeuxTriSeiGo did a good thing in reporting this issue and including the tombstone.

                  fid02 Glad they finally noticed this issue. Memory Tagging issues are not exclusive to Proton VPN, so hopefully the other apps (Mail, Calendar, Drive) will be fixed as well.

                  Glad they finally noticed this issue.

                  They have been aware of the issue for months and have apparently looked into it at some point, but paused the effort some time ago. Maybe they have resumed the investigation? They are not sharing details at all, and unlike a certain other VPN competitor, they are not publicly asking for assistance in reproducing or debugging the issue, or any information at all. I know for a fact that a developer of a security software raised the issue with them a couple of months ago. Everything put together, I think it shows a surprisingly poor security posture from a company that completely depends upon their reputation of being a leader in privacy-respecting products. What if this bug had been a perfect way to deanonymize users or otherwise cause them harm? I have cancelled my subscription.