The makers of a popular iOS email app have warned their users that their accounts may have been compromised after a buggy software update made it possible to see strangers’ emails.
Users jumped onto social networks this weekend after updating their iPhones with the latest version of Edison Mail, warning that the email accounts of other users were suddenly freely accessible within the app.
It is believed that the problem arose after the company pushed out an update that included a new account syncing feature.
In response to a cavalcade of complaints from concerned users, Edison offered its “deepest apologies” for what it described as a “malfunction”.
Earlier today Edison Mail published a blog post which attempted to explain what happened and limit the damage to its reputation:
On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues. Data from these individual”s impacted email accounts may have been exposed to another user. No passwords were compromised. On Saturday morning a patch was deployed to remove and prevent any further exposure. As a safety measure, the patch prevented all potentially impacted users from being able to access any mail from the Edison app. We apologize for temporarily pausing the app from working for many users, which was required to ensure the safety and protection of all potentially impacted users.
In short, realising just what an emergency it found itself in, Edison blocked users from accessing their email entirely.
And users’ emails were not accessed as a result of an attack by external hackers, but rather due to an injury that was entirely self-inflicted by Edison.
Edison may be keen to downplay the seriousness of what happened, but the truth is that its users did suffer a significant security and privacy breach.
Complete strangers were able to access the email accounts of some Edison Mail users, and read and send email from those accounts without permission.
And as so much personal sensitive information is held in email accounts, the potential for abuse is considerable.
To try to describe such a security breach as a “temporary issue” or “bug” seems disingenuous to me.
Remember – this isn’t the familiar narrative of passwords leaking into the hands of the criminal underground who might be tempted to use it to break into email accounts. Instead, regular users opened the Edison email app on their iPhone and suddenly found they could read strangers’ emails to their hearts’ content.
As a result private conversations, personal information, intimate photographs, password reset notifications for third-party services, all manner of sensitive communications will have been exposed.
In its blog post Edison says that it has released a new update to the iOS App Store which restores full functionality, and suggests that impacted users change their email account password.
Personally, if I was an affected user, I would want to do much more than that. I would want to be sure that none of my other accounts have been compromised, and might – out of an abundance of caution – want to reset the passwords on those as well.
After all, you don’t know who might have been rifling through your email, and how they might have abused that access
Furthermore, I would have to seriously question whether I would feel comfortable using the Edison Mail app again, after such a terrible privacy blunder.
The news comes at a particularly bad time for Edison, which earlier this year was accused of not being transparent enough with users that its business model involved scraping email inboxes for monetizable data.
tags
Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.
View all postsSeptember 06, 2024
September 02, 2024
August 13, 2024
July 25, 2024