We wanted to release the bug fix as quickly as possible so it is only now - after the release - that we go into detail as to what is was all about: The "Target Blank" vulnerability is basically a browser bug that should be fixed by the browsers.
Currently there are still web services vulnerable to this security bug, for instance Facebook and Twitter. It allows attackers to bait you with a link and then hijack the original tab in which you clicked on the link.
This is how it would have worked in Tutanota: When you click a link sent to you by an attacker, the attacker gets access to the url of your original tab. The attacker could then change your original tab to a faked login page. When you go back to the original tab, you might think that you got logged out accidentally and type in your login credentials. Then the attacker would have been able to copy the login credentials to your encrypted mailbox.
If you had to re-type your login credentials after clicking on a link in Tutanota, please change your password now.
Even though we are a small team, we were able to fix the bug within hours of being notified while Facebook and Twitter are still vulnerable.
We want to thank Kevin Froman for notifying us about the vulnerability. This is exactly why we have published our code as open source on Github. Our aim is to bring to you the most secure email service possible. With the code being public, the security community can review it and inform us about possible bugs so that we can eliminate them immediately.