- Some Edison Mail users discovered over the weekend that they were able to access the emails of strangers inside the app.
- The company explained that a software bug was responsible for the unauthorized access, not a security breach.
- Edison Mail fixed the issue, and prompted 6,480 impacted users to reset their passwords.
- Visit BGR’s homepage for more stories.
Some Edison Mail users discovered over the weekend that they could access accounts belonging to other customers, which appeared directly inside the Edison Email client on iOS. Many took to social media to signal the security vulnerability that allowed them to access strangers’ emails, and the company was quick to respond. Edison Mail was quick to issue fixes, explaining that it’s only a limited number of users who have been impacted by the security glitch, and only people on iOS experienced it. This is a major security and privacy breach, one that Edison Mail didn’t explain in full.
Edison Mail explained to 9to5Mac what had happened.
10 hours ago a software update was rolled out to a small percentage of our iOS users. Some of these users who received the update are experiencing a flaw in the app impacting email accounts that was brought to our attention this morning. We have quickly rolled back the update. We are contacting the impacted Edison Mail users (limited to a subset of those users who have updated and opened the app in the last 10 hours) to notify them.
At this time this appears to be a bug and not a security breach.
The company then addressed the issue in a blog post. Edison Mail stressed on the fact that no account credentials were compromised in the process and the issue was fully resolved within 30 hours of the first report “by ‘bricking’ access to potentially impacted Edison iOS app users and any email messages from the app.”
The company explained that the bug impacted only “6,480 Edison Mail iOS users were potentially impacted,” following a software update. All the customers have been notified to reset their passwords.
I just updated @Edison_apps Mail &, after enabling a new sync feature, an email account THAT IS NOT MINE showed up in the app, that I could seemingly axcess completely.
This is a SIGNIFICANT security issue. Accessing another's email w/o credentials! Never trusting this app again.
— Zach (@zmknox) May 16, 2020
A new version of the app was made available on Sunday morning, the company notes. The app restored full functionality for the 6,480.
Hi @Edison_apps I just updated the email app and I can now see the email of two accounts that I’ve never heard of in my life. I think you have a huge security flaw. The three accounts starting with the name Chris are mine. The others aren’t. pic.twitter.com/1KURaAqaNh
— Audiophile Style (@audiophilestyle) May 16, 2020
The company made it clear that it was a software update to blame, without explaining what went wrong:
On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.
Edison may have acted fast to fix the problem, but this doesn’t change the fact that strangers were able to access other people’s emails for a brief period of time. It’s great news that Edison Mail wasn’t hacked, but it’s still a huge privacy breach, and something that should never ever happen inside an email client, or any app that’s supposed to protect sensitive data.