Monday, May 18, 2020

Edison Mail Bug Allows Access to Other Users’ Data

Eric Slivka:

Several users of popular email app Edison Mail this morning are reporting that they are able to see email accounts of other users within the iOS app. In what appears to be a major privacy breach, users report that after enabling a new sync feature, they have full access to these other email accounts.

Via Cabel Sasser:

All I wanted was a modern email client that downloaded directly from the server — like they have forever — with no risky middleman. The Edison privacy policy said “we store as little of your email on our servers as possible”.

[…]

What an interesting butterfly effect

Apple wants to preserve your battery life > email clients can’t check in the background > email clients set up servers to store credentials and check email to push notify you of new email > everyone’s email now exposed to huge security vector

Apple should lift this restriction on checking in the background. This would bring a better user experience and better privacy. Its own Mail app is allowed to do that, with apparently acceptable effects on battery life and RAM use. For many users, iOS devices already offer plenty of battery life, and some are operated while plugged in.

Edison (via John Gruber):

No account credentials were compromised; issue was fully resolved within 30 hours of first report by ‘bricking’ access to potentially impacted Edison iOS app users and any email messages from the app.

Kudos to them for a quick fix and for revealing the exact number of affected accounts.

Previously:

Comments RSS · Twitter

Leave a Comment