← Terug naar blog Proton Pass: Second-Password Bypass Through Emergency Access

Proton Pass: Second-Password Bypass Through Emergency Access

Blog

I've been using the Proton suite for a couple of years, and my family is on it too. New features, fresh takes on familiar tools, a clear privacy-first stance: Proton has a lot going for it. Some choices are debatable (the Bitcoin wallet, for one), but overall we like the platform.

For context: Proton Pass lets you set a second password specifically on the Pass vault, separate from your main account password. It's an extra layer on top of everything else, designed so that even if someone gets into your Proton account, they still can't open your password vault without that second password. It's the whole point of the feature.

About a month ago, a family member forgot that second password. The timing was bad: it happened right before the weekend. He had taken security seriously and used unique generated passwords for every account, so losing access to Pass meant losing access to almost everything else. Banking, subscriptions, daily logins, all out of reach.

We emailed Proton support. Resetting a Pass second password is a standard procedure: you verify your identity, and they help you back in. But support didn't respond before the weekend, and after a day or two he came to me. He needed a way in.

While we were sorting things out, his main account password had been reset, and at some point Multi-Factor Authentication got disabled. I'm not certain whether the MFA removal happened automatically as part of the reset or somewhere else in the flow. Either way, the account was now behind a single password, and the Pass vault was supposedly still locked behind its own second password.

That's when I noticed Emergency Access, a relatively new feature. The waiting time field showed "None", meaning I could add myself as an emergency contact and get in immediately. So I did. I linked my own account, logged in through Emergency Access, and opened Proton Pass.

Full access. The second password, the entire reason that layer exists, was never requested. The vault was wide open.

What is this feature?

The idea behind it is solid. You nominate another Proton user as a trusted contact, and if something happens to you (you pass away, lose access to your account or whatever the case) they can request access and eventually get into your full account. It saves your family from the nightmare of being potentially locked out of your financial, healthcare, and personal records at the worst possible moment.

Genuinely a great feature. But also a security risk.

How this vulnerability applies

Plenty of people don't set up multi-factor authentication. It's an extra hassle, they don't fully understand it, or they just can't be bothered. This is especially common with older users, who'd rather stick to "a password they can remember", or with someone who forgot to re-enable MFA after a password reset. The moment that password leaks or they fall for a phishing attempt, an attacker is in.

"Okay, but I've got a second password on my Proton Pass. No way they'd be able to pivot into all my accounts, credit cards, recovery keys, identities, email aliases, right?"

The vulnerability

Turns out there's a pretty easy way to bypass the whole second-password system, without having enough time to confirm it.

As the attacker, we've got access to an account we'll call "Target", with the alias being [email protected]:

Target Proton account

With access to the account, when we navigate to pass.proton.me, we're hit with the extra password lockout:

Proton Pass second-password lockout

No way we can access their whole Proton Pass vault, right?

Right?

Setting up the recovery

All we need to do is spin up a fresh Proton account. Verification is minimal by design, since Proton's whole pitch is that you shouldn't have to hand over personal data to use it. That tradeoff is a separate discussion, so let's stick to the security angle here.

So: the account's been taken over. The victim has no idea their password leaked, or that they got phished. From here, we just head over to: https://account.proton.me/u/0/mail/recovery

From there we navigate to "Add emergency contact" and drop in our freshly created attacker account. In this case we'll call it [email protected]:

Adding the attacker as an emergency contact

The important part here is setting the Wait time for access to None. This is where the weakness of the implementation starts to show.

With the wait time set to none, we get instant access to every other platform tied to the account. No window for the user to change their password, kill active sessions, or double-check that the emergency contact is actually someone they trust. Although it can be hard to think of a solution for this, the instantaneous access option doesn't help. We do get an email that the emergency contact is added, but in this scenario it would be too late:

Email notification that emergency access was granted

Hiding the emergency access notifications

I was thinking that an email notification would be enough to alert the user to the account access request. But with access to the email account, we could add a rule that automatically moves emails like this directly to spam, archive, or trash, making it even harder for the user to notice. For example, we could add the following rule: all emails with the subject 'Emergency access granted' get moved to trash:

Mail filter rule sending the notification to trash

When the user [email protected] requests access, it gets directly moved to trash:

Emergency access granted email landing in trash

Note: if you have the Proton Pass app installed on your mobile, you do get a notification, even when its excluded. Not allowing notifications from the apps would of course disable this.

Obtaining access

Our attacker account has now been added as an immediate-access contact on the victim's account:

Attacker listed as immediate-access emergency contact

As "immediate" already suggests, we can access the account right away. Sure, the victim gets an email notification, and technically there's a deny option, but with the wait time set to None: by the time they've even seen the email, we've already moved on to the next step.

We log in to our attacker account [email protected] and when navigating to our settings: we get a list of the accounts we can obtain "Emergency Access" to. At this point, we can just click Access Account:

Access Account button on the attacker side

After clicking the Access Account button, we navigate to "Proton Pass" and we're in. Full access to Proton Pass. That "second password" prompt from the top of this post? Gone. Never shows up:

Full Proton Pass vault access without the second password

And to make things even easier on the attacker side, we can grab everything in one shot:

Exporting the entire vault

From a leaked password to a full vault export. No timed confirmation, no second password, no meaningful delay. Just a feature working exactly as designed.

Verdict

I reported it to Proton through the proper channels before writing any of this up. Their response:

The reason for this is because the behavior in question is currently this way by design and our team is aware of the findings you've shared.

We see it differently. Think about why someone sets a second password on Pass in the first place. It serves a specific purpose. It's so that if your main account ever gets compromised, whether through a leak, a phish, or a reused password, you have a safety net. The second password is your guarantee that your vault is still safe, and that you have time to react: change your main password, kill active sessions, lock things down before the attacker reaches the crown jewels.

The deeper issue here is one of trust roots. In this setup, your email account is effectively the root of identity for everything else: account recovery flows back to it, session approvals flow through it, and now Emergency Access does too. That makes it a single point of failure. You can build a heavily fortified vault with an extra lock on it (Proton Pass with a second password), but if the person holding the front-door key (your email) is trusted unconditionally by the system, they can walk in through the emergency entrance and open the vault without ever touching that second lock. Once your root of identity falls, the second layer stops mattering.

Emergency Access with None makes this concrete. The moment the main account falls, the vault falls with it. No delay, no warning you can act on, no second layer holding the line.

Edit: Another way to secure this feature would be to ask for the second password of Proton Pass right when you add an emergency access email.

Sending an email to the compromised user when Emergency Access is triggered is a step in the right direction, but it leans on the same trust root that just got broken. An attacker with mailbox access can quietly add a filter to delete or archive the notification, and the user never sees it (without the Proton Pass app). A meaningful warning needs to go somewhere outside that trust root: SMS, a recovery email on a different provider, or a push notification to a device that doesn't depend on the compromised account.

I'm not saying Emergency Access should be removed. It solves a real problem. My feedback is narrower: the None wait-time option shouldn't exist.

The counter-argument writes itself: some users want immediate access for a spouse, a business partner, a caregiver. Fair. But none of those cases actually require None. A 24 hour minimum covers every one of them without meaningfully inconveniencing anyone, while still preserving the exact thing the second password was supposed to give you in the first place: time.

Security works best in layers, but layers only help if they fail independently. Enable multi-factor authentication on your account and set a second password where you can. Together, those measures raise the bar against account takeover and keep your Proton Pass vault out of reach for this bypass, as long as the layer underneath them, your email, is still standing.