![]() We don’t know how they missed this in testing, despite stating that they have a staging environment.We don’t know what specifically in their architecture made this bug possible.This seems to be a trend with all of their responses: to give the minimum possible answer, and dodge the hard questions. In our exchange, she replied multiple times, but didn’t really answer my questions. Seeing as she reached out to me, I sent her a tweet with questions I had previously sent to Edison support 5 (who still has yet to reply to my support requests). In addition to their’s blog post, Edison’s founder, Hetal Pandya, found her way into my Twitter mentions, trying to defend Edison mail from criticism about their past behavior about neglecting user privacy 4. It’s probably the number one thing I don’t want to be compromised. Everything goes through email! Receipts, notifications, account recovery, correspondence. While this may be technically true, it doesn’t mean much when the thing another user did gain access to was my email inbox. Everything you would need to impersonate your new pen pal.įinally, Edison’s blog post explains that “No passwords or credentials were exposed or compromised”. Do note that this is full access, not simply reading, but writing, deleting, forwarding, etc. You could access their email, and they could access yours. It effectively linked you and another user together into one Edison sync account. ![]() They further explained that users of this version would be locked out and to sign into Edison mail again using the newly released bug fix.Įdison also briefly explained the nature of the bug. They later explained that the update had gone out late the night prior 2, and would be being pulled.Īfter they had time to shut down the bug and analyze the issue, Edison wrote a blog post (and sent an email to users affected) explaining 6,480 users 3 of their iOS app were affected by this issue. How Edison RespondedĪbout 2 hours after I tweeted about the issue, Edison support woke up on Twitter and started replying to concerns from myself and others that they were looking into the issue. It soon became clear that this was not just a fluke, but an incredibly bad security issue. I emailed Edison support and promptly revoked access to my accounts to the app. Something had gone horribly wrong.Īt first I thought it was a fluke bug-a very very bad fluke bug, but a fluke nonetheless. In addition to my two email accounts was a Gmail account that wasn’t mine. Going back into my inbox, I noticed a lot of emails that weren’t for me. ![]() Tapping into the email, I noticed both the username and the email address it was directed to weren’t mine. I noticed a notification email from Twitch that a streamer that I don’t watch had gone live. I selected my Gmail address and tapped continue.Īfter I got into my inbox and my email reloaded, something was off. I was greeted by a splash page telling me about a new account sync feature 1, and to choose which email address was my primary account of the two I had in the app. Last Saturday, I woke up, updated some apps on my phone, and opened my email app, Edison Mail.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |