Edison Mail Sync Bug Allowing Access to Other Users' Email Accounts [Updated]

[chucker23n1]

The Mail app runs constant fetching in the background? I don't think so.

That's not how push works, no (fetching would be pull, not push).

The Mail app has a constantly-running background process that keeps a connection open. The server can then push data as it comes in.

As I wrote. And some 3rd party email providers (Fastmail, Mailbox.org) can send APNS notifications to the Mail app.

They can, but that doesn't help third-party apps.

Of course they can. Both Spark and Airmail on iOS support Exchange ActiveSync, and the Fastmail, Protonmail and Tuta apps supprot push notifications. The issue is that it requires support by the email provider, but that is true for the stock Mail app as well.

How do Spark and Airmail push stuff to your iPhone? By having a server of theirs knowing your credentials.

 

[TiggrToo]

I have spoken to some programmers who are involved in DB management.

What is "DB management"?

Please please not let it be "Database Management"...

 

[chucker23n1]

True, but MS also hosts how many million 365/Exchange accounts in the cloud which obviously means MS holds credentials to all of those?

Well, kind of, but in that case, it's already obvious to the user that they have access to that data. It's less obvious when it involves a third-party host.

 

[Rigby]

That's not how push works, no (fetching would be pull, not push).

Obviously. Fetch can only be run in longer time intervals, but that is true for both the stock app and 3rd party mail apps (with background app refresh).

The Mail app has a constantly-running background process that keeps a connection open. The server can then push data as it comes in.

That's not how it works. Mail uses APNS (the standard Apple push notification service). But that doesn't just work with any arbitrary email provider (which is why e.g. Gmail does not support push email with the Mail app). Nothing prevents other mail apps from doing the same.

How do Spark and Airmail push stuff to your iPhone? By having a server of theirs knowing your credentials.

The point was that nothing prevents 3rd parties from implementing Exchange Activesync, which is the second way to do email push.

 

[Nütztjanix]

This problem started appearing for me a year or two ago. It's definitely real. If I have an app in full-screen while it happens, Mail will suddenly enable Split View. If I don't, Mail will open and focus its main window.

(I do have a Gmail account.)

I don't doubt it exists - but I never experienced it, despite having Mail running all the time.

 

[MacBH928]

The computer world in the 21st century is a sad place, the apps are either broken or spying except in the rarer cases.

Keep using these 3rd party email clients cause they look cool or offer a feature here or there that Apple's built-in app doesn't have!

FOSS is the way to go.

And that's why I stay away from services that sync passwords, bookmarks, other stuff between devices, especially stuff from indie developers where who the hell knows data is being managed.

I guess one exception is iCloud.

Tell it to 1Password guys who still think saving your passwords to the cloud with a subscription model is a safe and secure idea.

What is your view on Protonmail?

ProtonMail is its own client, it does not allow you to added other services to it. A lot of ProtonMaill is open source too maybe all of it by now.

From the website.



At least your mail was securely transported to the other persons device!

And thats why no one should believe any service making any promises including Facebook and Google because the law does not hold them accountable for claims like these. Every VPN service out there is promising they are safe and secure and do not keep logs, but we know whats going to happen.

 

[chucker23n1]

Obviously. Fetch can only be run in longer time intervals, but that is true for both the stock app and 3rd party mail apps (with background app refresh).

Yes, third-party apps could do fetch (kind of; even with Background App Refresh, there actually isn't a deterministic way to do it). But I was referring to push. So I'm not sure why you keep bringing up fetch.

That's not how it works. Mail uses APNS (the standard Apple push notification service). But that doesn't just work with any arbitrary email provider (which is why e.g. Gmail does not support push email with the Mail app). Nothing prevents other mail apps from doing the same.
The point was that nothing prevents 3rd parties from implementing Exchange Activesync, which is the second way to do email push.

Mail has a two-process architecture. When the UI isn't running, `maild` still is. The UI is in `MobileMail`.

Third-party apps cannot do this approach. They can't run a background process that stays around for arbitrary periods of times. Apple can. And does. Including for Mail.
[automerge]1589733797[/automerge]

I don't doubt it exists - but I never experienced it, despite having Mail running all the time.

I saw a suggestion somewhere that it's due to how people hide the window. I like to close the main window when I'm not using it (I know I can also hide Mail, but I presume closing the window saves some RAM), and it looks like doing so prompts some code path to reopen it after a fetch.

 

[Taz Mangus]

I am curious about one thing. If you go delete your Edison account, including your data (e-mail, credentials , etc.) how do you know the company actually honored that?

I have always used the Apple e-mail client. So my question has to do more about the trust worthiness of Edison.

 

[SuperMatt]

If you use Outlook for iOS, you're storing your e-mail credentials on Microsoft's servers, regardless of whether or not your e-mail account is with Microsoft.

Nope.

Great News! Outlook Mobile no longer stores your credentials on Microsoft's servers

Before becoming Outlook Mobile, the current official Microsoft iOS and Android email app was called Acompli, and it featured some revolutionary email features at the time, but at a price. Then the app offered a Focussed Inbox, but it did this by storing your email and password on its own servers...

mspoweruser.com

 

[Apple_Robert]

I am curious about one thing. If you go delete your Edison account, including your data (e-mail, credentials , etc.) how do you know the company actually honored that?

I have always used the Apple e-mail client. So my question has to do more about the trust worthiness of Edison.

You have no positive way of knowing. You can delete the account and it not show on the front end, even though the company still has the information stored on some of their servers.

Edison should not be trusted for any reason.

 

[chucker23n1]

Nope.

Great News! Outlook Mobile no longer stores your credentials on Microsoft's servers

Before becoming Outlook Mobile, the current official Microsoft iOS and Android email app was called Acompli, and it featured some revolutionary email features at the time, but at a price. Then the app offered a Focussed Inbox, but it did this by storing your email and password on its own servers...

mspoweruser.com

Microsoft's post doesn't really say what the author seems to think it does. For one, it doesn't address credentials at all.

And second, that's only about Office 365 anyway. I specifically wrote, "regardless of whether or not your e-mail account is with Microsoft." If you're using Outlook for iOS with, say, an IMAP account, or someone else's Exchange account, then Outlook still won't do a direct connection.

 

[Expos of 1969]

Let's not kid ourselves and pretend otherwise. Nothing is fully safe these days when using the internet, email, the Cloud etc. I wish this wasn't the case but things have progressed too far to easily alter course now. One can use certain services thinking one is protecting oneself, but it is a false expectation.

Is this ideal? Of course not, but it is a battle that Joe Q. Public will have a hard time winning. I have seen no solutions for the average person that actually are practical, cost effective and make much of a difference.

 

[chucker23n1]

Let's not kid ourselves and pretend otherwise. Nothing is fully safe these days when using the internet, email, the Cloud etc. I wish this wasn't the case but things have progressed too far to easily alter course now. One can use certain services thinking one is protecting oneself, but it is a false expectation.

Is this ideal? Of course not, but it is a battle that Joe Q. Public will have a hard time winning. I have seen no solutions for the average person that actually are practical, cost effective and make much of a difference.

That's why it's important to make good choices. Pick companies you trust. Store as much data as you can safely on your own device. Follow good security practices.

 

[Nütztjanix]

I saw a suggestion somewhere that it's due to how people hide the window. I like to close the main window when I'm not using it (I know I can also hide Mail, but I presume closing the window saves some RAM), and it looks like doing so prompts some code path to reopen it after a fetch.

Well, I used to minimise Mail prior to split-screen fullscreen - but that was obviously way prior to Mojave/Catalina. So maybe that’s the reason I don’t experience this.

 

[AJAAY]

UPDATE from Edison:

In the Edison App, pls go to Settings> Manage Privacy> Delete Stored Data. Please update all your email passwords. We are actively working on this issue and hope to have it resolved quickly. If you have any questions pls send us an email at support.

I followed those same steps. But didn't re-enter my account information, I went ahead and deleted the app.

 

[1144557]

Well, kind of, but in that case, it's already obvious to the user that they have access to that data. It's less obvious when it involves a third-party host.

It has nothing at all to do with disclosure or not. Its the point of who to trust with the data more- MS with a track record or a random indie developer; who has a proven public track record of prior major privacy violations in very recent history.

 

[seanmcbay]

That’s a hilarious bug. Literally the worst thing that could go wrong.

 

[Apple_Robert]

That’s a hilarious bug. Literally the worst thing that could go wrong.

I see nothing funny about it. I doubt you would think it funny if it happened to you, and someone got a hold of some very personal information about you and took advantage of the situation.

 

[Taz Mangus]

Anybody have any idea on how many people this bug affected?

 

[gank41]

Anybody have any idea on how many people this bug affected?

I was wondering that, too. Or if it seemed like you’re fine on your end but someone else is reading my emails? I mean, what’s going on.

 

[cansuds]

there's something I've been wondering. who's going to pay me compensation if I'm financially damaged by this mailbox error?

 

[I7guy]

I see nothing funny about it. I doubt you would think it funny if it happened to you, and someone got a hold of some very personal information about you and took advantage of the situation.

The thing is I wonder (as others have noted) if the original recipient knows anything is amiss with their emails?

 

[Apple_Robert]

The thing is I wonder (as others have noted) if the original recipient knows anything is amiss with their emails?

If they don’t closely follow social / tech news, many may not know until they see strange addresses in the app, or said persons are contacted by the company.
[automerge]1589750163[/automerge]

there's something I've been wondering. who's going to pay me compensation if I'm financially damaged by this mailbox error?

If you are in the U.S., you won’t have any standing.

 

[Taz Mangus]

I wonder how many companies were using Edison e-mail. Can’t imagine the horror to find your business e-mails got routed to the wrong people.

 

[gank41]

I wonder how many companies were using Edison e-mail. Can’t imagine the horror to find your business e-mails got routed to the wrong people.

Exactly! I’m so glad the company I work for switched to o365 and forced us all to use the Outlook app for work email. I wonder if they’re going to do any work to see who specifically has been impacted by this, and then contact them letting them know of their mistake and to reset Passwords or revoke any iCloud security keys created for logins..