Edison Mail Sync Bug Allowing Access to Other Users' Email Accounts [Updated]

[DoctorTech]

Maybe they can spin this to put the blame on Coronavirus 🧐

That would be funny if it didn't hit so close to home. My local UPS Store just notified everyone who has a mailbox that "effective immediately" they are nearly tripling the cost of mailboxes (from $13/ mo to $35/ mo) because of Coronavirus. They stayed open throughout the lockdown, gas is at record lows, people are shipping more than ever because stores are closed, yet their business has been hurt so bad by COVID-19 they have to dramatically raise their prices.

 

[gank41]

I'm confused about those experiencing Mail opening itself every 15 minutes. Are you saying that you quit Mail and it launches every 15 minutes and you need to quit it again? Or is the app running and it pops up a window? I cannot seem to reproduce the issue.

I think they’re referring to the macOS Mail app taking focus away while in the middle of something else in a different app. If you’ve got the Mail app open in Full Screen mode, it’ll just switch over to the app. Happens a lot, but I see it happen with a couple other apps, too. Not just the Mail app.

 

[SuperMatt]

Both. Mail will open on its own and open a window. I then have to quit the app again. For me it isn't exactly every 15 minutes, but it will interrupt whatever I am doing. If I have an app full screen it will switch to split screen.

It can be really bad. I once had it occur during a proctored test.

When quitting mail, do you quit from the menu bar or just close the viewer window? Closing its window doesn't quit it. I cannot find another report of it opening when it's actually been quit.

Sounds like some users experience it "popping up" when open in the background though, specifically with some gmail accounts with certain notification settings enabled (some suggest turning off Google Calendar notifications on the google calendar website).

As for it "popping up" in split screen when it's open in the background: in the General preferences, there is an option "Prefer opening messages in split view when in full screen" which you can turn off. I have had different issues with Mac mail and Gmail in the past - Google uses their own protocols which they change every so often, and Apple is slow to catch up.
[automerge]1589648604[/automerge]

I think they’re referring to the macOS Mail app taking focus away while in the middle of something else in a different app. If you’ve got the Mail app open in Full Screen mode, it’ll just switch over to the app. Happens a lot, but I see it happen with a couple other apps, too. Not just the Mail app.

I don't like full-screen so I never use it. That must be why I'm totally unfamiliar with these type of issues. Thanks for enlightening me.

 

[1144557]

The Outlook app has the same fundamental security flaw when used with non-Microsoft email accounts: it stores your account credentials (and your emails) in their cloud ...

That's an oversimplification and blanket untrue statement

When you authorize say a Gmail account you are using Oauth which gives the Outlook app a token to access your inbox; which can be revoked. Outlook does NOT get your Gmail login info- just a long complex token ID

With generic IMAP accounts, sure. But any mail service with Oauth they dont get your credentials

 

[Lionel Messi]

If macOS' Mail.app didn't decide to open itself every 15 minutes then I'd be a lot happier using it... But for now, back to Mac Mail it is; just removed all accounts from Edison 🙃

Keep Mail.app minimized instead of hidden. This solved it for me.

 

[Rigby]

That's an oversimplification and blanket untrue statement

When you authorize say a Gmail account you are using Oauth which gives the Outlook app a token to access your inbox; which can be revoked. Outlook does NOT get your Gmail login info- just a long complex token ID

An oauth token is an account credential and can still be stolen and used to access your emails, or accidentally be assigned to the wrong person because of a severe bug like in this case.

 

[1144557]

An oauth token can still be stolen and used to access your emails.

Good luck with that. For Gmail:

Tokens can vary in size, up to the following limits:

• Authorization codes: 256 bytes
• Access tokens: 2048 bytes
• Refresh tokens: 512 bytes

An app cannot access your account without authorization (the Google app popup, 6 digit code etc) even if they did get your token. Assuming the user is halfway intelligent and using 2 factor. It's useless without authorization by the account holder which the hacker wouldnt have access to authorize access via the token.

It can also be taken off your device since that is how Apple Mail logs in, in theory.

But that is just tin foil hat stuff due to the complexity of the system and token.

 

[roar08]

I quit Apple's Mail app a few years ago - it would fill my drive with many GBs of strange files. I even worked with Apple Engineers and they couldn't solve it. I moved to Postbox and love it. Apple's iOS Mail app works perfectly fine for me. I also use Outlook on desktop/mobile to better integrate with some clients. I'm always on the lookout for great mail clients -- I'll never try Edison. Bugs are inevitable but at this level, it just speaks to lack of quality control and probably lack of great engineering.

 

[BigMcGuire]

I guess I'm just getting old... if I'm not paying for something I worry how the company will a) survive b) use my data to make $. Could never use Edison Mail for that reason. Stuff like this makes me cringe.

For mail I use FastMail (mostly on my computer via web browser). Work: Office 365 / Google Apps (their respective websites / iPhone apps).

 

[Mr. Heckles]

And that's why I stay away from services that sync passwords, bookmarks, other stuff between devices, especially stuff from indie developers where who the hell knows data is being managed.

I guess one exception is iCloud.

Because Apple can do no wrong? 🙄 . I rather use 3rd parry nexuses I don’t want to be tied down to one platform. This is why stuff should be end to end encrypted.

I guess I'm just getting old... if I'm not paying for something I worry how the company will a) survive b) use my data to make $. Could never use Edison Mail for that reason. Stuff like this makes me cringe.

For mail I use FastMail (mostly on my computer via web browser). Work: Office 365 / Google Apps (their respective websites / iPhone apps).

FastMail can go out of business too, just like any other company.

 

[Rigby]

Good luck with that. For Gmail:

What does the length of a token have to do with being able to steal it from a 3rd party server?

An app cannot access your account without authorization (the Google app popup, 6 digit code etc) even if they did get your token. Assuming the user is halfway intelligent and using 2 factor. It's useless without authorization by the account holder which the hacker wouldnt have access to authorize access via the token.

This is just false. Once the token has been authorized by the user (which in Edison's case happens when you configure the account in the app), it can be used to access the emails the same way that e.g. Edison's servers use. No 2FA required.

In terms of access security, oauth tokens are only marginally better than account passwords (because their access is usually more restricted), and no better than the "app passwords" that services like Google hand out to enable IMAP clients to access accounts with enabled 2FA.

It can also be taken off your device since that is how Apple Mail logs in, in theory.

Yes, but my device is under my control and not exposed to the Internet like some cloud server.

But that is just tin foil hat stuff due to the complexity of the system and token.

You need to learn how oauth works. The fact that this incident affects Gmail accounts just as much as IMAP accounts should tell you that oauth doesn't provide protection.

 

[ArtOfWarfare]

How could a bug like this slipped through testing?

Honestly, doesn't seem all that hard to slip through to me. For manual testing, QA sets up and shares a bunch of test accounts - they wouldn't remember that a device is only supposed to see Test1, Test2, and Test4 but not Test3.

For the automated test, just verify that the expected accounts show up and forget to also verify that the unexpected accounts don't show up.

This is why you don't go straight from QA testing to production though... should have a dog food step inbetween where all your employees can beta test before it goes to a wide release.

 

[FreakinEurekan]

That would be funny if it didn't hit so close to home. My local UPS Store just notified everyone who has a mailbox that "effective immediately" they are nearly tripling the cost of mailboxes (from $13/ mo to $35/ mo) because of Coronavirus. They stayed open throughout the lockdown, gas is at record lows, people are shipping more than ever because stores are closed, yet their business has been hurt so bad by COVID-19 they have to dramatically raise their prices.

Yeah - "It's funny because it's true"

 

[SuperMatt]

Keep Mail.app minimized instead of hidden. This solved it for me.

Actually, if you truly hide it (command-H) this shouldn't happen either. If you leave it open full-screen in another space while you have a different full-screen app in focus, that's when issues begin as far as I can tell.

 

[4jasontv]

When quitting mail, do you quit from the menu bar or just close the viewer window? Closing its window doesn't quit it. I cannot find another report of it opening when it's actually been quit.

I use command + Q for almost all apps.

Sounds like some users experience it "popping up" when open in the background though, specifically with some gmail accounts with certain notification settings enabled (some suggest turning off Google Calendar notifications on the google calendar website).

I have tried turning off the Calendar notifications and I still see the behavior. What I can't risk, however, is not getting calendar notifications. And my school use gmail as the portal for their email.

As for it "popping up" in split screen when it's open in the background: in the General preferences, there is an option "Prefer opening messages in split view when in full screen" which you can turn off. I have had different issues with Mac mail and Gmail in the past - Google uses their own protocols which they change every so often, and Apple is slow to catch up.

From what I have found this does nothing because it splits my screen instead of taking me to a different one. It's a different manifestation of the exact same problem. It's not a better situation because all it does is resizes my active full screen app which moves all the content to the left. while taking up half my display with an app I don't want open.

This isn't just an annoyance. During a test I have had it open which could have resulted in me getting an F for cheating. When giving a lecture it can interrupt my presentation with sensitive student or faculty information.
[automerge]1589650654[/automerge]

Actually, if you truly hide it (command-H) this shouldn't happen either. If you leave it open full-screen in another space while you have a different full-screen app in focus, that's when issues begin as far as I can tell.

It has been doing this for years. Honestly, I consider it a core part of OSX and I should be able to keep the application however *I* want it.

 

[njhaveri]

Every iOS email app that has push notifications stores you credentials (username+password) on the app providers SERVER and has FULL access to all your emails.

That's a fact.

How I know that? Because the Apps themselve can't have an open connection to the mail-server in the background.
Even Apple own email client doesn't do IMAP push (IMAP IDLE). Hence you need a server in the middle to connect to the IMAP/POP mail server and initiate a push notification.

Given the fact that your email account is the key to literally every other account you have, choose your mail app wisely...

(Longtime email client developer here)

This is largely true in the general case. And in general, I am truly shocked how many people use email apps where give a third-party server Oauth tokens, or even worse, their raw email credentials.

Some IMAP servers, like iCloud's and Fastmail's, support a proprietary XAPPLEPUSHSERVICE extension that allows the server to send push events via APNS, without the client needing a persistent open connection. This is what the iOS Mail app does (Gmail doesn't support it).

Gmail has its own way of to route push events through Pub/Sub, which you as an app developer can then reflect to APNS. It's of the "account@gmail.com might want to sync" flavor, though, without message data, and without the 3rd-party server having access to your account in any way. This strategy is also fairly fine.

 

[BigMcGuire]

FastMail can go out of business too, just like any other company.

It definitely could, I'll give you that. Just because a company takes $ doesn't mean it couldn't go out of business. However, it has been my experience (thanks to Google I guess) that free services usually don't last all that long - either that or my bad luck.

FastMail has been around since 1999 (had to check wikipedia to remember). I'm getting too old to try new things all the time so I prefer to give my $ to older companies (time tested) than all this new "we use your private data to make $" stuff.


And regarding the post you quoted before mine - yeah Apple can do wrong, they're just a lot less likely to do wrong than these smaller companies, especially when $ is tight.

 

[AJAAY]

I've been using this app for a while now. I ran into some issues with the app back in late 2018 with emails going to my icloud email, which almost had me miss a job opportunity! Emails from the manager I had been corresponding with for a new job, kept going into the spam/junk folder. So I wouldn't see her emails for days until I checked the junk folder. It was weird, some emails from her would come to my inbox with no issues, and others would go into the junk folder.

 

[R3k]

Keep using these 3rd party email clients cause they look cool or offer a feature here or there that Apple's built-in app doesn't have!

Yep. Personally I tried Airmail- one of the other leading 3rd party clients a few months back to see if I was missing anything. Deleted it and refunded within a week. A nice change of GUI from 'Ol Mac Mail, but a few issues to go with it and strange behaviors. Costs more too, and "Pro" needs periodic up-purchasing. Slightly slower. No real benefit to me in the end. I dont need features like delay or scheduling of sent emails, and I dont need my mail to be automatically sorted.

Now Eddison has proven that we shouldn't use that ever again, and that dev can mess up something as simple as an Email client.

That all said Mac Mail could be a little more exiting, heh.

 

[I7guy]

Honestly, doesn't seem all that hard to slip through to me. For manual testing, QA sets up and shares a bunch of test accounts - they wouldn't remember that a device is only supposed to see Test1, Test2, and Test4 but not Test3.

For the automated test, just verify that the expected accounts show up and forget to also verify that the unexpected accounts don't show up.

This is why you don't go straight from QA testing to production though... should have a dog food step inbetween where all your employees can beta test before it goes to a wide release.

Don’t disagree with the above, but didn’t anybody think of trying to test the “sync” functionality?

 

[R3k]

How could a bug like this slipped through testing?

I assume Edison Mail has a very small dev team and scene.

I guess there needed to be a much larger testing pool for the issue to become apparant. Small percentage of users= Perhaps no-one experienced the issue in their Beta testing group because said group was just a few dozen people.
[automerge]1589652010[/automerge]

What a CFU, not reporting it makes it worse, being quiet is the stupidest thing they can do, and eventually they just say they are sorry in a short message...me...shakes head.

Hmm, my impression is the the Devs woke up this morning, saw that there was a huge mess, immediately wrote a short message (around 8:30am) to let everyone know they were aware and then put their heads down to try and un**** the situation. No time to craft a long elequoent message over coffee.

 

[cansuds]

I tried the app last week. I deleted it when I found out my Gmail was accessed from Switzerland. I do not recommend using such applications.

 

[R3k]

Honestly, doesn't seem all that hard to slip through to me. For manual testing, QA sets up and shares a bunch of test accounts - they wouldn't remember that a device is only supposed to see Test1, Test2, and Test4 but not Test3.

For the automated test, just verify that the expected accounts show up and forget to also verify that the unexpected accounts don't show up.

This is why you don't go straight from QA testing to production though... should have a dog food step inbetween where all your employees can beta test before it goes to a wide release.

And to add to that, people should notice that Apple leave a time gap when they release a software update. There is time between when an OS update appears when you specifically check for it and when you receive a notification on your device that it is available. I guess so there is a smaller pool of the public to download at the start so that if there are any massive issues, they can pull the update before its 'pushed' out to everyone.

 

[SuperMatt]

It has been doing this for years. Honestly, I consider it a core part of OSX and I should be able to keep the application however *I* want it.

I understand it shouldn't be doing it. I was just hoping to offer a solution - quitting the app completely, minimizing it, or hiding (command-H) seem to be workarounds. Hopefully an actual fix comes at some point, but I don't know because the full-screen aspect to Mac OS feels very "bolted-on" to me. Mail isn't the only app that sometimes steals focus in full-screen mode.

 

[1144557]

Bug or not, or small dev team, etc doesnt change the end result here. Those arent excuses

This is strike 2 or 3 now of MAJOR privacy violations with access you your emais- including everything sensitive like password resets, banking, etc.

There is likely no coming back from this reputation-wise. Anyone waiting for a 3rd strike is just stupid and fully at your own risk now.