The developers behind Edison Mail have rolled back an update to the email app issued on Friday, after some users discovered a security issue in a new synchronization feature where other people’s accounts were accessible.
On Friday, Edison gained a new feature that allowed users of the third-party email app to synchronize their account across their Apple devices, including the Mac and iPhone. The feature synchronized “email connections” between devices, but a bug in the software led to unintended consequences.
Users were posting to social media instances where the email accounts of a complete stranger were appearing on their devices, instead of their own, as reported by The Verge. Furthermore, the accounts were appearing without requiring any authentication by the original user, with the contents being immediately available to the viewer.
At 10:50 PM PST Friday evening a security bug was introduced for a small fraction of our iOS users. We have rolled that update back. All impacted users are being logged out and will need to re-login.
— Edison (@Edison_apps) May 16, 2020
Ten hours after its discovery, Edison confirmed there was a flaw in the app experienced by “a small percentage of our user base.” The company quickly rolled back the update, and started to contact impacted users to notify them of the incident, and the possibility someone else may have had temporary access to their email accounts.
As part of the fix, all impacted users were forcibly logged out of the app to sever any remaining connections, and required users to re-authenticate with the app.
Edison was identified in February as one of a number of apps that gathered data on its users, monitoring the contents of user messages to provide one-click buttons for actions and canned responses. In the February report, it was alleged Edison sold data to finance, travel, and e-commerce customers derived by scraping user emails.
At the time, its developers defended the scraping by claiming it ignored personal and work email, extracted only anonymous purchase information from commercial emails, and allows users to opt out of data sharing with its research project.