Edison Mail, a popular third-party email app, has warned thousands of iOS users that their emails may have been compromised after a security flaw exposed emails to complete strangers.
Edison Mail, owned by Edison Software Inc., is in the top 100 productivity apps on the Apple app store, and touts itself as “lightning fast and secure mail.” According to Edison Mail, a recent iOS update caused a temporary bug in the app. This flaw potentially allowed the unauthorized email account access of 6,480 iOS Edison Mail users to other users.
“On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices,” said Edison in a statement on Sunday. “The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.”
Edison Mail said it has resolved the issue as of Saturday, and all accounts have been secured.
The issue appeared to stem from a new syncing feature that was rolled out in the Friday update (update 1.20.2). After the update, several Edison Mail users took to Twitter to complain that they were seeing up to 100 unread email messages from strangers’ accounts under their own Edison Mail inboxes. They were able to read others’ emails without credentials, the tweets alleged, and couldn’t adjust their sync settings to delete the emails.
“Clearly someone with the device “Mandy’s iPhone) currently has full access to my email accounts. Please tell me the data deletion works at least?” one Edison Mail user said on Twitter.
“This is a SIGNIFICANT security issue,” one Twitter user said. “Accessing another’s email w/o credentials! Never trusting this app again.”
I just updated @Edison_apps Mail &, after enabling a new sync feature, an email account THAT IS NOT MINE showed up in the app, that I could seemingly axcess completely.
This is a SIGNIFICANT security issue. Accessing another’s email w/o credentials! Never trusting this app again.
— Zach (@zmknox) May 16, 2020
Edison Mail on Sunday stressed that no passwords or credentials were exposed or compromised. Edison Mail also mentioned that as a safety measure, the ensuing patch (in version 1.20.4 ) prevented all potentially impacted users from being able to access any mail from the Edison Mail app.
“We apologize for temporarily pausing the app from working for many users, which was required to ensure the safety and protection of all potentially impacted users,” said Edison Mail.
It’s not the first time Edison Mail has come under scrutiny for security issues. In February, a Motherboard report pointed to several email apps that sell anonymized data collected from users’ inboxes, including Edison Mail.
“As an additional precaution, Edison has already contacted impacted users and asked them to change their email account password,” according to Edison Mail. “If you have not received an email, you were not impacted.”
Threatpost has reached out to Edison Mail for further comment on the bug.
Concerned about the IoT security challenges businesses face as more connected devices run our enterprises, drive our manufacturing lines, track and deliver healthcare to patients, and more? On June 3 at 2 p.m. ET, join renowned security technologist Bruce Schneier, Armis CISO Curtis Simpson and Threatpost for a FREE webinar, Taming the Unmanaged and IoT Device Tsunami. Get exclusive insights on how to manage this new and growing attack surface. Please register here for this sponsored webinar.