Privacy-oriented webmail providers like Proton Mail, Tutanota, and Skiff, offer an easy way to secure communications. Even non-technical people can send end-to-end encrypted emails, which is especially useful for high-risk users such as journalists, whistleblowers, and political activists, but also privacy-seeking internauts. End-to-end encryption becomes irrelevant when there are vulnerabilities in the client. That's why we had a closer look and found critical vulnerabilities in ProtonMail, Tutanota, and Skiff that could have been used to steal emails, impersonate victims, and in one case even execute code remotely!This talk presents the technical details of these vulnerabilities. We will use three case studies to show how we found and exploited serious flaws with unconventional methods. Come and see an adventure about mXSS, parser differentials, and modern CSS coming to the rescue during exploitation.Warning: may contain exploit demos and traces of popped calcs!