On April 3rd a vulnerable version of Tutanota was released. We were notified about the issue three days later by one of our users and fixed it immediately. Now, all affected versions of Tutanota have been disabled and we would like to inform you about the issue for full transparency.

All Tutanota apps (web, desktop, Android, iOS) version 3.112.5 were vulnerable to the HTML attribute injection that we explain in more detail here

Impact

We are not aware of any incident where the vulnerability was exploited.
No action is necessary from your side.

I am not a Tutanota user but this is exactly the kind of response there should be to a vulnerability discovery. They immediately released a patch once they became aware, then disabled unpatched versions, and finally published all details of what happened including the critical detail of the timeline.

Good job Tutanota.

Everything will have vulnerabilities, nothing can be perfect. It is the response to those vulnerabilities being discovered that matter most.