Edison Mail Bug Allowed Access to Email Accounts of Other Users

Chance Miller, reporting for 9to5Mac:

Edison Mail is one of the more popular third-party email applications for iPhone, iPad, and Mac, but an apparent bug in the service is raising major privacy concerns. Edison Mail users report that after enabling a new account syncing feature in the app, they have full access to email accounts of other Edison Mail users.

Zach Knox was one of the first Edison Mail users to acknowledge the problem on Twitter this morning:

I just updated @Edisonapps Mail &, after enabling a new sync feature, an email account THAT IS NOT MINE showed up in the app, that I could seemingly access completely. This is a SIGNIFICANT security issue. Accessing another’s email w/o credentials! Never trusting this app again.

There are bugs, and there are really bad bugs. For an email client this is about the worst bug possible, right up there with losing messages.

Edison Mail, in a statement to 9to5Mac, said, “At this time this appears to be a bug and not a security breach.” I think what they’re trying to argue is that the bug was their own fault, not the result of an outside attack, so it’s not a “security breach”. But regardless how the bug happened, it’s obviously a security breach. Your customers having their email read by complete strangers is pretty much the definition of a security breach.

Here’s a full statement from Edison Mail.

Sunday, 17 May 2020