Update in “Edison Mail” for the iOS Gave Users Access to Other People’s Email

• A disastrous update in the "Edison Mail" iOS app has compromised the email accounts and credentials of 6,480 users.
• The company rolled back the update in ten hours, but the privacy of the users had already been breached.
• Edison's decision to keep the users' credentials on the client-side instead of in a server has also fired back.

An update that was pushed recently for the iOS app of the "Edison Mail" has somehow scrambled the access of users on their accounts, so some got to read other people's emails. The catastrophic update was rolled back as soon as the effects were noticed, but still, the damage privacy breach had been done. One could have very easily downloaded the emails of other users, get to know the secrets of strangers, possibly access their payment info or passwords, and take a look at their private communications.

The company said this was not the result of a security breach, but a bug that was introduced in the most recent update, and also added that there is only a small number (6,480) of iOS users who were affected by this flaw. As the company stated:

"Ten hours ago a software update was rolled out to a small percentage of our user base. Some of these users who received the update are experiencing a flaw in the app impacting email accounts that was brought to our attention this morning. We have quickly rolled back the update. We are contacting the impacted Edison Mail users (limited to a subset of those users who have updated and opened the app in the last 10 hours) to notify them."

We are urgently working to resolve this technical problem in Edison Mail. Yesterday a software update rolled out to a small percent of our users. We have reverted that now and are reaching out to users who have been impacted as fast as we can.

— Edison (@Edison_apps) May 16, 2020

pic.twitter.com/sNy4MOM6rS

— Petter Magnusson (@MagnussonP) May 16, 2020

While the 6,480 of iOS users does seem like a fraction of the Edison Mail's userbase, it's still a significant number of people who have been wholly and fundamentally compromised by this "malfunction". These people are now urged to log out and log in again, via an email that they got from Edison Mail. Of course, impacted users are also advised to reset their passwords on the app, as well as anywhere else they may be using the same credentials.

One technical detail that raises concerns over the entire Edison Mail community of users is that a client-side update has managed to somehow randomize account access routing in the system. The email account and the credentials that secure it should be protected inside a server that nobody could have gained access to. Additionally, the trust that users had in the app's testing and quality assurance has now been shaken. Surely, everyone has the right to blunder, but when it comes to accepting that a stranger has accessed your entire email account and credentials, this will be particularly hard to let go.