Edison Mail security vulnerability exposed accounts to other people

18-5-2020 Technology Tech 1968


Some Edison Mail users discovered over the weekend that they were able to access the emails of strangers inside the app.
The company explained that a software bug was responsible for the unauthorized access, not a security breach.
Edison Mail fixed the issue, and prompted 6,480 impacted users to reset their passwords.
Visit BGR’s homepage for more stories .

Some Edison Mail users discovered over the weekend that they could access accounts belonging to other customers, which appeared directly inside the Edison Email client on iOS. Many took to social media to signal the security vulnerability that allowed them to access strangers’ emails, and the company was quick to respond. Edison Mail was quick to issue fixes, explaining that it’s only a limited number of users who have been impacted by the security glitch, and only people on iOS experienced it. This is a major security and privacy breach, one that Edison Mail didn’t explain in full.

Don't Miss : 10 deals you don’t want to miss on Sunday: 70¢ face masks, 85¢ toilet paper, $20 wireless earbuds, free Echo Dot, more
Edison Mail explained to 9to5Mac what had happened.

10 hours ago a software update was rolled out to a small percentage of our iOS users. Some of these users who received the update are experiencing a flaw in the app impacting email accounts that was brought to our attention this morning. We have quickly rolled back the update. We are contacting the impacted Edison Mail users (limited to a subset of those users who have updated and opened the app in the last 10 hours) to notify them.
At this time this appears to be a bug and not a security breach.

The company then addressed the issue in a blog post . Edison Mail stressed on the fact that no account credentials were compromised in the process and the issue was fully resolved within 30 hours of the first report “by ‘bricking’ access to potentially impacted Edison iOS app users and any email messages from the app.”
The company explained that the bug impacted only “6,480 Edison Mail iOS users were potentially impacted,” following a software update. All the customers have been notified to reset their passwords.

I just updated @Edison_apps Mail &, after enabling a new sync feature, an email account THAT IS NOT MINE showed up in the app, that I could seemingly axcess completely. This is a SIGNIFICANT security issue. Accessing another's email w/o credentials! Never trusting this app again.
— Zach (@zmknox) May 16, 2020

A new version of the app was made available on Sunday morning, the company notes. The app restored full functionality for the 6,480.

Hi @Edison_apps I just updated the email app and I can now see the email of two accounts that I’ve never heard of in my life. I think you have a huge security flaw. The three accounts starting with the name Chris are mine. The...
Read The Rest

Related News


Top