Edison Mail is one of the more popular third-party email applications for iPhone, iPad, and Mac, but an apparent bug in the service is raising major privacy concerns. Edison Mail users report that after enabling a new account syncing feature in the app, they have full access to email accounts of other Edison Mail users.
Update: Edison Mail provided the following statement to 9to5Mac, adding that the bug only affects iOS users.
“10 hours ago a software update was rolled out to a small percentage of our iOS users. Some of these users who received the update are experiencing a flaw in the app impacting email accounts that was brought to our attention this morning. We have quickly rolled back the update. We are contacting the impacted Edison Mail users (limited to a subset of those users who have updated and opened the app in the last 10 hours) to notify them.
At this time this appears to be a bug and not a security breach.”
The problem appears to stem from a new syncing feature that rolled out to Edison Mail clients last week. “Email connections are synced across all of your devices,” is how Edison described the functionality at launch.
Zach Knox was one of the first Edison Mail users to acknowledge the problem on Twitter this morning:
I just updated @Edisonapps Mail &, after enabling a new sync feature, an email account THAT IS NOT MINE showed up in the app, that I could seemingly access completely. This is a SIGNIFICANT security issue. Accessing another’s email w/o credentials! Never trusting this app again.
Thomas, another Edison Mail user, also pointed the problem out on Twitter early this morning. Thomas pointed out that he seemingly can’t adjust sync settings:
Guys, I see strangers’ e-mail in my app after you added sync features. I can see their email, so they can probably see mine. Despite what your blog post says I CANNOT change my sync account and all I can do is block myself and them from ever using the app.
Another user, Petter, says that they can see that another iPhone has unauthorized access to their account:
Not my email. Not my device. How can this still be going one and how can you not communicate anything. Clearly someone with the device “Mandy’s iPhone currently has full access to my email accounts. Please tell me the data deletion works at least?
Edison Mail has not responded to the complaints on social media, despite multiple users pointing out that they seemingly have full access to email accounts that aren’t theirs. It’s impossible to know the scale of this problem at this point, but even if it’s not affecting all Edison users, it’s a major security vulnerability for those who are affected.
We’ll update this post if we hear anything from Edison directly or if they reach out to affected users.
Hi @Edison_apps I just updated the email app and I can now see the email of two accounts that I’ve never heard of in my life. I think you have a huge security flaw. The three accounts starting with the name Chris are mine. The others aren’t. pic.twitter.com/1KURaAqaNh
— Audiophile Style (@audiophilestyle) May 16, 2020
Just noticed today new account in mail app. Not mine! Heavy privacy breach by @Edison_apps? pic.twitter.com/Eart7sDiiy
— Alen Zubic (@AlenZubic) May 16, 2020
https://twitter.com/trezzer/status/1261572858502877184?s=20
https://twitter.com/zmknox/status/1261645534445604865?s=20
FTC: We use income earning auto affiliate links. More.
Comments