Edison Mail Sync Bug Allowing Access to Other Users' Email Accounts [Updated]

[smallnshort247]

I'm one of the people who were experiencing Apple Mail on Mac opening up randomly on it's own. I switched to Spark for awhile but wasn't a huge fan of their UI. Once I heard about Edison Mail on here, I decided to download them and give them a try. Last week I had two weird situations where I got random emails with verification codes as if I was trying to reset my password or reactivate an old accounts. After reading this article, I decided to remove my accounts off Edison Mail and go back to Apple Mail. I really loved their UI, but privacy/security comes first.

 

[Rigby]

They just sent out an email to affected customers. You can see it e.g. on Twitter.

- The bug only affected users of the iOS app
- Affected iOS users have been locked out of their accounts for now and have to wait for an app update
- They say that the bug affected "approximately 6480" users (presumably that's how many downloaded the buggy version of the app before the lockdown)

That the bug affected only one platform may sound comforting at first glance, but it really shows that they have fundamental security flaws in their architecture. The client app should not ever be able to allow strangers to access the user's account, bug or not. If that is not the case, it means that the user isolation is only enforced by the client app (as opposed to their backend), which would be a gross design flaw. You'd have to be crazy to trust this app.

 

[Apple_Robert]

 

[ivan86]

My experiences:

Apple Mail = sometimes no notifications or new emails are not showing up

Outlook = iCloud Mail only works for a few days

Gmail = It’s great but sometimes not getting notifications either

Outlook is my favorite, but as long they don’t fix the problem I cannot use it. And Edison is the only one which works.

Looks like it works too well. 😂

 

[drewyboy]

Most simple path I use is, use the app for email service you have. I use gmail personally so I have the gmail app for my email. Work uses O365 so I have outlook for that. If I used iCloud I would use apples iOS mail.

 

[coolfactor]

Apple Mail.app here, for 20 years, no problems, with upwards of 20 accounts set up at a time. I only use IMAP for all accounts. People still using POP3 either have a very specific reason to do so, or don't understand the difference between POP3 and IMAP.

This was a serious, serious bug by Edison, and I think they are downplaying it significantly. This type of screwup sinks ships fast!

 

[jezbd1997]

My experiences:

Apple Mail = sometimes no notifications or new emails are not showing up

Outlook = iCloud Mail only works for a few days

Gmail = It’s great but sometimes not getting notifications either

Outlook is my favorite, but as long they don’t fix the problem I cannot use it. And Edison is the only one which works.

Try Spark mail, it's what I use for my accounts other than iCloud/Gmail.
I don't have issues with my iCloud notifications usually (I only use iCloud in Apple Mail).
Never had issues with Gmail app notifications

 

[1144557]

Try Spark mail, it's what I use for my accounts other than iCloud/Gmail.
I don't have issues with my iCloud notifications usually (I only use iCloud in Apple Mail).
Never had issues with Gmail app notifications

Spark has the same bullcrap need an account with them. You dont need an account to sync email, we're out of the POP era. All echange/IMAP accounts sync mail status

The same thing could happen with Spark. Would not use any 3rd party mail app you need a separate account for.

They can assure you until the cows come home, as of course they already did on twitter today that it couldnt happen to them, but there are no guarantees ever. Edison touted its privacy too and look, one bug disclosed thousands of users full sensitive emails to others due to a sync issue. It was surely a mistake, human error, not intentional. No one is immune to that no matter how many assurances you get.

When you agree to give your accounts over to a 3rd party sync, you assume that risk.

 

[ryanasimov]

If your app is good and you have a dedicated user base, they'll forgive a lot of technical issues. But I don't see how by any stretch of the imagination a person would continue to use this app once they know about this problem. Does this company make any other apps besides Edison?

 

[gank41]

So, hypothetically here, let’s say I purchased 2 Windows 10 Pro licenses and received the keys via email. And let’s also say that I’ve only used one of those keys, but now someone managed to see my email and the license keys, copied ‘em, and then used my available license. Who would be responsible for that, hypothetically.

I’m just trying to point out that this shouldn’t get shuffled under the rug and forgotten. A “bug” like this shouldn’t be allowed to happen, and the people responsible should maybe rethink a lot of things.

 

[chucker23n1]

So, hypothetically here, let’s say I purchased 2 Windows 10 Pro licenses and received the keys via email. And let’s also say that I’ve only used one of those keys, but now someone managed to see my email and the license keys, copied ‘em, and then used my available license. Who would be responsible for that, hypothetically.

If someone uses that key, they’re responsible.

 

[gank41]

If someone uses that key, they’re responsible.

If only there was some way to know specifically what emails were seen. I know there’s really no way to know for sure, and that’s that saddest part. They say they know WHO was impacted, but it sounds like they only know who’s emails might have been seen. Not necessarily who saw the emails? All it takes is one nefarious and quick person to recognize what they’re seeing (someone else’s emails) and quickly go thru looking for specific things: Bank Account info, Passwords potentially emailed to someone, or some other highly secretive stuff.

 

[Taz Mangus]

I just looked at the App Store for Edison e-mail. Even with all the new bad reviews, it is still rated at 4.6/5.0. Edison is responding to the bad reviews with basically the same scripted response.

 

[gank41]

I just looked at the App Store for Edison e-mail. Even with all the new bad reviews, it is still rated at 4.6/5.0. Edison is responding to the bad reviews with basically the same scripted response.

I wonder if they’re one of those companies that games the system with lots of fake positive App Store reviews.

 

[Expos of 1969]

I just looked at the App Store for Edison e-mail. Even with all the new bad reviews, it is still rated at 4.6/5.0. Edison is responding to the bad reviews with basically the same scripted response.

If Apple really cares about its customers privacy, why has it not put a hold on the app in the Store pending further review? Apple just happily turns a blind eye. Hey Tim, wake up and actually spend some time on something other than new watch bands!

 

[I7guy]

If Apple really cares about its customers privacy, why has it not put a hold on the app in the Store pending further review? Apple just happily turns a blind eye. Hey Tim, wake up and actually spend some time on something other than new watch bands!

If Apple really cared about customer privacy, it would keep out of situations that weren't warranted for them to stick their nose into, so they don't get accused of favoritism. Having a bug does not violate any appstore guidelines. Why even bring Apple into this...they have nothing to do with this. The company Edison I believe already did a mitigation.

 

[Nütztjanix]

If Apple really cares about its customers privacy, why has it not put a hold on the app in the Store pending further review? Apple just happily turns a blind eye. Hey Tim, wake up and actually spend some time on something other than new watch bands!

I understand that the change that caused this has been reverted. So even if you download the app now, you shouldn’t be affected.
But, honestly, I would not advise to download this app, or any app of this kind for that matter.

 

[Expos of 1969]

Having a bug does not violate any appstore guidelines. Why even bring Apple into this...they have nothing to do with this.

Only because Apple lets Edison sell in its store. If Apple really cared about about privacy it would tell Edison that this is not a minor insignificant type of bug and that sales in the App store were suspended until they can show they have cleaned up their act. Quite simple and principled really. But many Apple fans will disagree.

 

[I7guy]

Only because Apple lets Edison sell in its store. If Apple really cared about about privacy it would tell Edison that this is not a minor insignificant type of bug and that sales in the App store were suspended until they can show they have cleaned up their act. Quite simple and principled really. But many Apple fans will disagree.

This "if apple really...." is an fallacious way to attempting to win an online debate. Apple fans will disagree and the critics will attempt to use this erroneous logic as a talking point of how apple doesn't care about privacy. Correlation does not imply causation. How is Apple supposed to know that any apps server has a bug? They won't and shouldn't get involved unless the app developer asks them to.

 

[Expos of 1969]

This "if apple really...." is an fallacious way to attempting to win an online debate. Apple fans will disagree and the critics will attempt to use this erroneous logic as a talking point of how apple doesn't care about privacy. Correlation does not imply causation. How is Apple supposed to know that any apps server has a bug? They won't and shouldn't get involved unless the app developer asks them to.

So if developers keep silent and do not ask Apple to get involved, they could continue flogging defective apps which result in things occurring which are in 100% opposition to Apple's public "your privacy is king" marketing (should you believe Apple's spiel). And you think Apple will not be tainted by allowing these apps to be sold in the App store? Is the big anti Google app store argument not that it has no standards and does not properly vet what is offered in its store? So you see no problem in Apple not putting a temporary stop on the selling of an app which has just violated the privacy of some users? Very loose standards you apply to Apple.

 

[chucker23n1]

So if developers keep silent and do not ask Apple to get involved, they could continue flogging defective apps which result in things occurring which are in 100% opposition to Apple's public "your privacy is king" marketing (should you believe Apple's spiel).

Yes, they could.

But nobody expects Apple to be just as thorough vetting every single third-party app as they are vetting their own products.

And you think Apple will not be tainted by allowing these apps to be sold in the App store?

Yes, and they might just pull the app.

Is the big anti Google app store argument not that it has no standards and does not properly vet what is offered in its store? So you see no problem in Apple not putting a temporary stop on the selling of an app which has just violated the privacy of some users? Very loose standards you apply to Apple.

Not everything is one extreme or the other.

 

[I7guy]

So if developers keep silent and do not ask Apple to get involved, they could continue flogging defective apps which result in things occurring which are in 100% opposition to Apple's public "your privacy is king" marketing (should you believe Apple's spiel). And you think Apple will not be tainted by allowing these apps to be sold in the App store? Is the big anti Google app store argument not that it has no standards and does not properly vet what is offered in its store? So you see no problem in Apple not putting a temporary stop on the selling of an app which has just violated the privacy of some users? Very loose standards you apply to Apple.

Your argument is incorrect. When one downloads an app, the "contract" is between you and the app developer. Unless an app violates the app store guidelines Apple keeps it's corporate nose out of it. The Apple privacy push is between you and Apple, not you and the app developer. Apple can't and shouldn't be responsible for your information that is not on apples servers.

No I do not think Apple will be tainted, except by those who chose to criticize Apple for something they have nothing to do with. Apple is not in the business of putting an app through quality assurance.

Very random standards you apply to Apple.

 

[seanmcbay]

I see nothing funny about it. I doubt you would think it funny if it happened to you, and someone got a hold of some very personal information about you and took advantage of the situation.

That’s not the funny part. What I find funny is that a company can mess up that badly.

 

[gank41]

I wish they’d provide a way to delete any data that’s been collected. Ok, sure... they fixed their “bug”. What assurances does anyone have that they still don’t have a copy of our email? It’s only due to a “mistake” (duh!) that we even know they’ve essentially got entire copies of our mailboxes, folders, and all emails. I’m not comfortable with just deleting an account on my device in their app. How can anyone make sure that our data is nuked on their end? What if this happens again? Are people going to see someone’s email that hasn’t used their app in over a year?

 

[kugino]

yeah, no assurances on this part. i wasn't one of the 6000+ who was affected as i did not receive an email from edison...but i did delete all my email accounts on my edison account, delete the app, remove any permissions i had given edison in my email accounts, and changed all my email passwords. i understand that 3rd party clients will gather data and for the most part i am ok with it, but this was the worst thing you could do as an email client and they no longer have my business or support.

fwiw, i hate Apple Mail. on the lookout for something else...Gmail app for the time being...