Slashdot Mirror

← Back to Stories (view on slashdot.org)

Glitch In OS X Search Can Expose Private Details of Apple Mail Users

Posted by timothy on from the where-are-you-now dept.

itwbennett (1594911) writes "The potential privacy risk in Apple's OS X Yosemite, first reported by German tech news site Heise and confirmed by IDG News Service, appears when people use the Spotlight Search feature, which also indexes emails received with the Apple Mail email client. Performing a Spotlight search opens email previews that load external images, including tracking pixels that are used to gather data, even when the Mail client is asked not to do this." From the article: A preview of the unopened emails was shown by Spotlight, which revealed to the operator of the server hosting the pixels the receiver’s IP address, current OS version and some details about the browser used as well as the version of Quick Look, a program that let’s users preview a document.

4 of 49 comments (clear)

  1. not really a bug just a behavior by goombah99 · · Score: 4, Informative

    any browser, especially ones that do pre-fetching, reveal the same details. pre-fetching can send your OS and browser details, even cookies, to sites you never visit. This isn't seen as a disaster and those are not deep secrets. Mail is doing this one step deeper by automatically pre-fetching all your e-mails. But seriously, most people delete there e-mails by clicking on the e-mail and hitting the trashcan. so that fetch happens. only some folks will devise strategies to actually not look at an e-maiul before deleting it. and for them , they can exclude e-mail from previe and spotlight.

    I already remove e-mail from spotlight just because I don't want e-mails poping up in my searches under an employees name. that could get embarassing if the employee is there while I'm searching for some document we created together.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:not really a bug just a behavior by bws111 · · Score: 4, Informative

      Browsers do not reveal the same details. The links in an email (if followed) prove that the email address is valid, something your browser can not do. Email clients (good ones anyway) do not automatically follow the links, either in preview or even if you open the mail, unless you ask them to. This is a bug.

  2. Outlook by steveo777 · · Score: 3, Informative

    I'm pretty sure MS caught hell for this about a decade ago when their preview pane would preload the entire contents of an email, including VBS scripts and links... It's not like it's the first time it happened, but it looks pretty bad for Apple having made the same mistake twice.

    --
    This sig isn't original enough, it's time to come up with something witty...
  3. Re:This is serious for users by Rosyna · · Score: 1, Informative

    This isn't a vulnerability, and to disable it all you have to do is uncheck "Mail & Messages" in the Spotlight preference pane in System Preferences.