The developer Edison Software Inc. has withdrawn an update of its email client Edison Mail after iOS users reported access to email content from external accounts. The developer explained that the incident was a bug and not the result of a security breach. The update was withdrawn shortly after the first reports from users.
A serious error in this popular iOS email app allows viewing foreign emails content
According to reports, the update should enable cross-device synchronization. The Edison Mail email client is available for the Android and iOS mobile operating systems and the Apple desktop operating system MacOS. However, instead of automatically synchronizing their own accounts across multiple devices, users had access to the accounts of strangers and did not even have to enter the necessary user data with the associated password.
Affected users contacted the software developer via Twitter. According to one user, a foreign iPhone had full access to his emails and his account. Another Twitter user had access to an email account that was not his after the update and activation of the synchronization function. The developer replied that they were working on a solution. The update caused a technical problem in Edison Mail, which only affected a small percentage of users.
I just updated @Edison_apps Mail & after enabling a new sync feature, an email account THAT IS NOT MINE showed up in the app, that I could seemingly axcess completely. This is a SIGNIFICANT security issue. Accessing another’s email w/o credentials! Never trusting this app again.
We are urgently working to resolve this technical problem in Edison Mail. Yesterday a software update rolled out to a small percent of our users. We have reverted that now and are reaching out to users who have been impacted as fast as we can.
— Edison (@Edison_apps) May 16, 2020
According to Edison Software, only the users of the iOS application seem to be affected by the bug. In addition, fortunately, it’s not a security breach, reports The Verge. Accordingly, the update has been available for 10 hours before it was withdrawn. In addition, the company will contact users who have updated and opened the app in the past 10 hours.