Fatal Edison Mail-bug giving access to foreign users mailboxes on iOS

E-Mail is — by far — not dead and we still use it daily to communicate with each other. While there are plenty of options to secure the…

Fatal Edison Mail-bug giving access to foreign users mailboxes on iOS
Really?

E-Mail is — by far — not dead and we still use it daily to communicate with each other. While there are plenty of options to secure the quite old protocol, real life has shown that E-Mail encryption as a real standard is quite difficult to implement. Nevertheless, security and trust is something that both E-Mail providers and clients should have in common. While many users complain about Apple’s Mail-app especially since iOS 13 (not mentioning a still unfixed security flaw), users strive for alternatives. Edison Mail is one of those and while the service behind it is being revived at the moment, the mail app running at iOS made a real unlucky public appearance lately

A Twitter-user named @zmknox updated his Edison Mail-app and, according to his tweet, was suddenly able to fully read other people’s mailboxes without having had the proper credentials for those. The user was able to read and browse through the mails and even had the chance to send mails unter the foreign account. The team around Edison replied quickly.

It is still a mystery if this has happened by accident or if faulty code brought this flaw to the surface, targeting just „a small percent“ of the Edison Mail users like the company stated in an official answer. The updated version was rolled back and it is told that this issue was iOS-related only so far as the Android-app didn’t seem to be affected at all.

Although Edison replied quite fast to this tremendous issue it may be doubted if this effect has really hit just the stated small percentage of users and how this could have happened at all. For all those trying to seek for an alternative to Apple’s mail, Edison was a good choice so far but as the user credentials seem to have been saved on the company’s servers (Spark is told to work in the same way), everyone who has used the app so far should instantly re-think of Edison as an alternative.

Looking back at history I do also remember and the firestorm that once raised when Microsoft bought the app today known as „Outlook“ on mobile devices which did also sent the user’s credentials to a third-party-location. By all means, E-Mail is a personal tool which should be kept private, no matter if you encrypt your mails or not.

Providers and developers are in charge for building the best and secure infrastructure that thing like these don’t happen but although I liked the Edison Mail-app so far, I must admit that it has just been put to the grave as it concerns myself. “Manage all your inboxes”, the slogan the app is being advertised with, now comes with a decent flavor of distrustfulness.

Affected users may think about continuing to use the app and — if they decide to do so — definitely consider to change their credentials, implement 2FA and chance the application password many services use instead of the two-factor-authentication. Also revoking the access to the specific providers for the Edison-app should serve well here, too. After all, those things happen but in times where Edison is also working on its own mail service (yet again), publicity like this could be a fatal blow as it’s a definite loss of trust.