Edison Mail Rolls Back Update After iOS Users Reported They Could See Strangers' Emails (theverge.com) 21
Edison Mail has rolled back a software update that apparently let some users of its iOS app see emails from strangers' accounts. From a report: Several Edison users contacted The Verge to report seeing the glitch after they applied the update, which was meant to allow users to sync data across devices. Reader Matthew Grzybowski said after the update he had more than 100 unread messages from the UK-based email account of a stranger. He didn't have to enter any credentials to see the emails, Grzybowski added. The company said it was a bug, not a security breach, and that the issue appeared limited to users of the iOS app.
It is security breach (Score:4, Insightful)
Re: (Score:2)
It is. It did expose sensitive data to 3rd parties because of a technical defect. An actual attack is not needed for a security breach.
Is Edison mail popular? (Score:2)
I thought GE just used outlook.
Re: (Score:2)
That's nice. Mum is getting on, and she could use someone to take her for a spin now and again.
Per user encryption (Score:2)
My guess is if you wiresharked their network activity you'd see some trivial http calls that are insecure and show you someone else's mail if you edit the url.
Re: (Score:2)
Although I'd guess none of their user data is encrypted.
I bet you're right on both counts.
My guess is if you wiresharked their network activity you'd see some trivial http calls that are insecure and show you someone else's mail if you edit the url.
But..but...you can just validate that on the frontend, right? /s
I have no idea how many times I've heard that BS. I should be filthy rich if I had a nickel for every time someone offered that non-solution.
IMAP standard feature (Score:2)
Why would I use any sort of third party service for what any IMAP server and client can do all by themselves? My devices have no problem whatsoever syncing email data and state without that, thank you very much.
Re: (Score:2)
In theory, IMAP wasn't designed to be data/power efficient for mobile. To get notified about new messages immediately, you have to keep a data connection open or poll on a schedule. With server-side handling of email, you can use the mobile operating system's notification protocol to tell the mail client to get new messages (where the notification protocol connection is going to be kept open anyway).
Depending on the mail client, IMAP doesn't work well with large mailboxes. I've found that search on the G
Decent mail client (Score:2)
Forget AI and smart mail boxes and all the other BS bells and whistles, can someone please just write a decent basic mail client for iOS / MacOS that doesn't suck? The only really good mail client (Sparrow) was bought by Google years ago and then pulled.
Client side security? (Score:3)
Is nobody else worried that this was fixed by rolling out a new client?
Re: Client side security? (Score:2)
Yes.
Iâ(TM)d like to know that changes were made on the backend that detect and deny access to a faulty client.
Nothing forces a user to update an app posted on the Apple App Store unless you have automatic updates enabled. Thus, faulty clients may still have access.
And, as others noted, this is a data breach - just not one caused by a third-party as information on other users was exposed. Canâ(TM)t sugarcoat this one.
Sue them out of exsistance (Score:2)
Better not have your email with them then (Score:2)
If they can screw up this massively, then they will do so again.
Wait, what? (Score:2)
How is this not a horrible security breach? Or are they playing with words and it is just horrible security practices? The server sends a user's data (emails) to a client that has has not authenticated as that user. The problem is with the server, not with the client obviously... If by "fixing" it they just have the client not ask for the data it is not authorized to get, that is not fixing the problem.
Re: (Score:2)