Culture

Edison Mail bug exposed personal emails to thousands of random users

Edison doesn't want to call this a security issue, but it definitely is. It's going to be difficult for the company to bounce back from this.

ShutterStock

Edison Mail, a popular third-party email client for iOS, macOS, and Android, has rolled back its most recent update after a bug allowed iOS users to see strangers’ accounts. Edison says the bug potentially affected up to 6,480 Edison Mail iOS users. No Android or macOS users were affected by the bug.

The bug was a doozy: it synced the Edison Mail iOS app with random accounts that did not belong to that user. While Edison has confirmed that no passwords or other credentials were exposed because of the bug, it did leave full email accounts open for users’ reading pleasures.

Edison says the bug was not related to “any external security issues,” and that it’s now been fixed with a new version of the app that was uploaded Sunday morning. We have lots of questions, such as: how do you mess up this badly?

Wait, so what happened? — On Friday, May 15, Edison Mail released a new version of its iOS app with an update to allow users to better sync their accounts across Apple devices. That update caused what Edison is calling a “technical malfunction” that synced users’ Edison Mail iOS app with random accounts. If you ended up with the bug, you had access to every email sent and received by that synced account.

Users took to Twitter to complain about the issue, which seems to have persisted through Saturday. Edison Mail then paused the app from working for many users to roll out a quick patch.

Security first — Edison’s official stance on the bug boils down to: whoops, this was a weird, one-time thing, and we’re never going to let it happen again. The company emailed users to say as much and also published a blog post about the incident.

In the blog post, Edison says: “Our team puts the security of our app users first in everything we do.” The company assures users that it’s “working diligently” to ensure this never happens again.

Edison’s messaging here is an obvious attempt to save face. The company can call this incident whatever it wants; it still severely compromised user data, and that’s a security issue. For however long the bug was active, users’ emails were just sitting out there in the open for strangers’ perusal.

Privacy is pretty much the top priority when using a mail app. Though this bug only affected something like 6,480 users right now, it’s going to be a stain on Edison Mail’s reputation for a long, long time.