Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security IT

Edison Mail Rolls Back Update After iOS Users Reported They Could See Strangers' Emails (theverge.com) 21

Edison Mail has rolled back a software update that apparently let some users of its iOS app see emails from strangers' accounts. From a report: Several Edison users contacted The Verge to report seeing the glitch after they applied the update, which was meant to allow users to sync data across devices. Reader Matthew Grzybowski said after the update he had more than 100 unread messages from the UK-based email account of a stranger. He didn't have to enter any credentials to see the emails, Grzybowski added. The company said it was a bug, not a security breach, and that the issue appeared limited to users of the iOS app.
This discussion has been archived. No new comments can be posted.

Edison Mail Rolls Back Update After iOS Users Reported They Could See Strangers' Emails

Comments Filter:
  • by gnasher719 ( 869701 ) on Monday May 18, 2020 @09:12AM (#60073512)
    It may be a self inflicted security breach, but it is a security breach. A burglar breaking your looks and getting in is a security breach, but you leaving your front door unlocked is also a security breach.
    • by gweihir ( 88907 )

      It is. It did expose sensitive data to 3rd parties because of a technical defect. An actual attack is not needed for a security breach.

  • I thought GE just used outlook.

  • Although I'd guess none of their user data is encrypted.

    My guess is if you wiresharked their network activity you'd see some trivial http calls that are insecure and show you someone else's mail if you edit the url.
    • Although I'd guess none of their user data is encrypted.

      I bet you're right on both counts.

      My guess is if you wiresharked their network activity you'd see some trivial http calls that are insecure and show you someone else's mail if you edit the url.

      But..but...you can just validate that on the frontend, right? /s

      I have no idea how many times I've heard that BS. I should be filthy rich if I had a nickel for every time someone offered that non-solution.

  • the update, which was meant to allow users to sync data across devices.

    Why would I use any sort of third party service for what any IMAP server and client can do all by themselves? My devices have no problem whatsoever syncing email data and state without that, thank you very much.

    • In theory, IMAP wasn't designed to be data/power efficient for mobile. To get notified about new messages immediately, you have to keep a data connection open or poll on a schedule. With server-side handling of email, you can use the mobile operating system's notification protocol to tell the mail client to get new messages (where the notification protocol connection is going to be kept open anyway).

      Depending on the mail client, IMAP doesn't work well with large mailboxes. I've found that search on the G

  • Forget AI and smart mail boxes and all the other BS bells and whistles, can someone please just write a decent basic mail client for iOS / MacOS that doesn't suck? The only really good mail client (Sparrow) was bought by Google years ago and then pulled.

  • by Ichijo ( 607641 ) on Monday May 18, 2020 @10:24AM (#60073796) Journal

    Is nobody else worried that this was fixed by rolling out a new client?

    • Yes.

      Iâ(TM)d like to know that changes were made on the backend that detect and deny access to a faulty client.

      Nothing forces a user to update an app posted on the Apple App Store unless you have automatic updates enabled. Thus, faulty clients may still have access.

      And, as others noted, this is a data breach - just not one caused by a third-party as information on other users was exposed. Canâ(TM)t sugarcoat this one.

  • This is so fucked up, they can't even get email right? How many years has email been around? Why aren't these people getting sued out of existence?
  • If they can screw up this massively, then they will do so again.

  • How is this not a horrible security breach? Or are they playing with words and it is just horrible security practices? The server sends a user's data (emails) to a client that has has not authenticated as that user. The problem is with the server, not with the client obviously... If by "fixing" it they just have the client not ask for the data it is not authorized to get, that is not fixing the problem.

    • In other news, a billion emails were scraped today in an unidentified hack of Edison servers...

Keep up the good work! But please don't ask me to help.

Working...