[BreachExchange] Edison Mail bug exposed users’ email accounts to complete strangers

Wed May 20 10:29:09 EDT 2020

https://securityboulevard.com/2020/05/edison-mail-bug-exposed-users-email-accounts-to-complete-strangers/

The makers of a popular iOS email app have warned their users that
their accounts may have been compromised after a buggy software update
made it possible to see strangers’ emails.

Users jumped onto social networks this weekend after updating their
iPhones with the latest version of Edison Mail, warning that the email
accounts of other users were suddenly freely accessible within the
app.

It is believed that the problem arose after the company pushed out an
update that included a new account syncing feature.

In response to a cavalcade of complaints from concerned users, Edison
offered its “deepest apologies” for what it described as a
“malfunction”.

Earlier today Edison Mail published a blog post which attempted to
explain what happened and limit the damage to its reputation:

On Friday, May 15th, 2020, a software update enabled users to manage
accounts across their Apple devices. This update caused a technical
malfunction that impacted approximately 6,480 Edison Mail iOS users.
The issue only impacted a fraction of our iOS app users (and no
Android or Mac users were affected). This temporary issue was a bug,
and not related to any external security issues.

Data from these individual’s impacted email accounts may have been
exposed to another user. No passwords were compromised. On Saturday
morning a patch was deployed to remove and prevent any further
exposure. As a safety measure, the patch prevented all potentially
impacted users from being able to access any mail from the Edison app.
We apologize for temporarily pausing the app from working for many
users, which was required to ensure the safety and protection of all
potentially impacted users.

In short, realising just what an emergency it found itself in, Edison
blocked users from accessing their email entirely.

And users’ emails were not accessed as a result of an attack by
external hackers, but rather due to an injury that was entirely
self-inflicted by Edison.

Edison may be keen to downplay the seriousness of what happened, but
the truth is that its users did suffer a significant security and
privacy breach.

Complete strangers were able to access the email accounts of some
Edison Mail users, and read and send email from those accounts without
permission.

And as so much personal sensitive information is held in email
accounts, the potential for abuse is considerable.

To try to describe such a security breach as a “temporary issue” or
“bug” seems disingenuous to me.

Remember – this isn’t the familiar narrative of passwords leaking into
the hands of the criminal underground who might be tempted to use it
to break into email accounts. Instead, regular users opened the Edison
email app on their iPhone and suddenly found they could read
strangers’ emails to their hearts’ content.

As a result private conversations, personal information, intimate
photographs, password reset notifications for third-party services,
all manner of sensitive communications will have been exposed.

In its blog post Edison says that it has released a new update to the
iOS App Store which restores full functionality, and suggests that
impacted users change their email account password.

Personally, if I was an affected user, I would want to do much more
than that. I would want to be sure that none of my other accounts have
been compromised, and might – out of an abundance of caution – want to
reset the passwords on those as well.

After all, you don’t know who might have been rifling through your
email, and how they might have abused that access

Furthermore, I would have to seriously question whether I would feel
comfortable using the Edison Mail app again, after such a terrible
privacy blunder.

The news comes at a particularly bad time for Edison, which earlier
this year was accused of not being transparent enough with users that
its business model involved scraping email inboxes for monetizable
data.