Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Edison Mail Sync Bug Allowing Access to Other Users' Email Accounts [Updated]
- Thread starter MacRumors
- Start date
- Sort by reaction score
Things like this is why I never use an email app that requires me to store things on the servers belonging to the developer or company. I just want something that accesses my email server and that’s it.
Everyone is trying to be Google and scan people’s email so they can sell marketing data.
Everyone is trying to be Google and scan people’s email so they can sell marketing data.
Was the new sync feature turned on by the company without the ability for the user to turn off?
edited to add: It looks like the new feature had to be turned on by the user.
Edison’s TOS appears to give them protection with this security flaw, at least in the U.S.
“Edison will not be liable for any losses caused by any unauthorized use of your account. You may control your User profile and how you interact with the Service by changing the settings in the mobile application. By providing the Edison Service with your email address, you consent to our using the email address to send you Service-related notices and receipts, including any notices required by law, in lieu of communication by postal mail. You also agree that we may send you notifications regarding activity on our Service to the email address you give us, in accordance with any applicable privacy settings.”
“You are solely responsible for the content you send or receive through the Service ("User Content"). You shall be solely responsible for your User Content and the consequences of posting or publishing it, and you agree that we are only acting as a passive conduit for your online distribution and publication of your User Content. You understand and agree it is not possible for Edison to “unsend” any emails, chat messages, or other User Content sent on your behalf, or to delete your User Content from another user’s account once that User Content has been sent. You understand and agree that you may be exposed to User Content that is inaccurate, objectionable, inappropriate for children, or otherwise unsuited to your purpose, and you agree that Edison shall not be liable for any damages arising from User Content.”
Terms — Edison Mail
www.edison.tech
EDA part 2. And to think MacRumors was promoting this app on May 9th....
Last edited:
The founder and CEO of Edison ( Mikael Berner) has been silent on Twitter, in regards to this problem.
I tried Protonmail Plus but it lacks customer support and I wasn't able to use it with my own domain. "Support" takes 5 days to respond and when they do it's a canned response that has nothing to do with your question.
As for providers that use an advanced API for authentication that MAY be possible, but for plain simple IMAP or POP there is no token or API based access. Username+Password it is.
The smart option would be to not store the password server side at all, but in the app itself and the server requests it from the app as needed (e.g. on reboot). (This would be very difficult to hack compared to the database approach, even if not much attention is paid to security.)
As such the credentials would only be cached in the memory of the server rather than in a database. Further to that all content on the server should be encrypted preferably using a public key generated by the app and stored on the server with the private key sitting in the app.
With that technology the "accident" that happened to edison would have been technically virtually impossible...
Last edited:
As a software developer, I am feeling for the team that's responsible for this stuff up. Ouch, that's job/career/company ending stuff. The pain, horror, and fear they must be feeling right now.
It might be very difficult for them to find a new job after this mess.
How about the pain, horror and fear that some users may feel about having sensitive emails exposed to unkown persons?
[automerge]1589671594[/automerge]
I have contacted their support only once, but they replied within a day. And you can use custom domains with the Plus account.
Last edited:
Well it looks like you're probably right. Sorry for speaking based on wishful thinking. I guess I've assumed too much about email/password security.
Oh man, I just downloaded Edison and Spark this past week to test each one out. After a few days, I figured I'd stick with the stock app for a number of reasons. I deleted my accounts a few days ago.
No more of those kind of apps for me.
No more of those kind of apps for me.
Here is the MacRumors thread praising and recommending Spark and Edison Mail to the viewers and readers of MacRumors.
What app will you be using moving forward, Dan, seeing how Edison is your favorite?
forums.macrumors.com
What app will you be using moving forward, Dan, seeing how Edison is your favorite?
Five of the Best Email Apps on iPhone
Email apps are a popular App Store category for one simple reason - almost all of us need to access email on our iPhones and iPads. While Apple has its own Mail app built into iOS devices, some people want a more feature rich experience. Luckily there are plenty of developers out there who are...
forums.macrumors.com
Glad I removed myself off this app months ago. Outlook on everything is better. Even stock Apple Mail.
Do you leave your mail on the server, or do you POP it down? Or are you running your own mail exchange? aren’t you storing everything on the servers belonging to the developer or company when you use IMAP?
I know google trained us to never delete email. I wonder why.
I did.
BTW, you should clean up that spam, your CC bill is due next week and you still haven't replied back to that email you received 3 weeks ago...
👹😋🤣
UPDATE from Edison:
In the Edison App, pls go to Settings> Manage Privacy> Delete Stored Data. Please update all your email passwords. We are actively working on this issue and hope to have it resolved quickly. If you have any questions pls send us an email at support.
In the Edison App, pls go to Settings> Manage Privacy> Delete Stored Data. Please update all your email passwords. We are actively working on this issue and hope to have it resolved quickly. If you have any questions pls send us an email at support.
Anyone still using this app is an absolute fool at this point. This is big privacy violation strike 2 after employees reading your emails to train AI
Fool me once, shame on you; fool me twice, shame on me. But I guess some people are glutton for punishment and will wait for strike 3 🙄
This concern can be greatly alleviated by using an email service that stores emails with zero-knowledge encryption, such as Protonmail or Tutanota. POP is just no longer a good solution at a time when most of us access their email from multiple different devices ...
I do appreciate the suggestions. It's just that the issue has gone on so long now I retain little hope of them fixing it. So many things feel that way these days. I replaced Mail on iOS with outlook because iOS mail would not accept another browser besides Safari, which I can't use because Apple refuses to support it on desktops. It's a cycle. What should be apps that build the value of the Apple ecosystem are programs that gradually destroy it.
Why the hell do E-mail accounts EVER cross paths? The E-mail client should be making a direct IMAP connection to your account. There should be nothing stored on the company's server nor should there be any credential saving.
Every E-mail client I've used in the 25 years I've been using E-mail clients has made a direct IMAP connection to the server. In order for you to be seeing someone else's E-mails that means the company must be caching them somewhere that's not your device. Why the hell??
Every E-mail client I've used in the 25 years I've been using E-mail clients has made a direct IMAP connection to the server. In order for you to be seeing someone else's E-mails that means the company must be caching them somewhere that's not your device. Why the hell??