An update released for iOS application of the Edison Mail introduced a security bug that resulted in some users being given access to other people’s email accounts.
“On Friday, May 15th, 2020, a software update enabled users to manage accounts across their Apple devices. This update caused a technical malfunction that impacted approximately 6,480 Edison Mail iOS users. The issue only impacted a fraction of our iOS app users (and no Android or Mac users were affected). This temporary issue was a bug, and not related to any external security issues.” reads a post published by the company.
“Data from these individual’s impacted email accounts may have been exposed to another user. No passwords were compromised. “
The Edison Mail app allows users to manage their Gmail, Yahoo, Outlook, iCloud, and other email services in a single place. The company offers apps for iOS, Android and macOS, and says its products are used by millions of individuals.
The update was rolled out on May 15, it included a feature that allows users to manage their accounts across their Apple devices.
Shortly after the patch was released, some users started reporting they could access other people’s email accounts from the iOS app without authentication.
Edison quickly solved the issue, the company confirmed that the bug potentially impacted 6,480 iOS users.
Edison Mail also confirmed that user credentials were not exposed.
The company addressed the issue with two updates, the first one on Saturday that prevented impacted users from accessing any account from the Edison app, the second one on Sunday morning, which re-enabled access for impacted users.
“A new version of the application was made available early Sunday morning in the App Store that restores full functionality for these 6,480 users. Other users were not impacted and no action is required.” added the company.
“We have notified all individual users who may have been impacted by this issue via email, and as an additional safety precaution, suggested that impacted users also change their email account password. If you did not receive an email on this issue then your account was not impacted,”
(SecurityAffairs – Edison Mail, hacking)