Apple Hide My Email Bug Exposes Real Email Addresses
A security researcher has identified a potential bug within Apple's "Hide My Email" feature that could compromise user privacy by exposing their real email addresses. The "Hide My Email" service, part of Apple's iCloud+ subscription, is designed to create unique, random email addresses that forward to a user's personal inbox, thereby masking their actual email from websites and apps.
According to a report published this week by security researcher Joseph (who uses the handle "privacyis1st" on X, formerly Twitter), the bug may occur when users interact with certain email clients or applications. While the specifics of the technical vulnerability have not been fully detailed publicly, the claim suggests that in some instances, the forwarded emails might retain or reveal the user's original email address, defeating the purpose of the privacy-focused feature. Joseph stated that he has been investigating this issue for "months" and has provided evidence to Apple.
Apple has not yet officially commented on the researcher's findings or confirmed the existence of such a bug. The "Hide My Email" feature is a key component of Apple's broader privacy initiatives, aiming to give users more control over their personal data and reduce unsolicited communications. If confirmed, this vulnerability could significantly impact user trust in the feature and Apple's commitment to privacy. The researcher indicated that he plans to release more detailed technical information if Apple does not address the issue promptly.
Users who rely on "Hide My Email" for enhanced privacy are advised to remain vigilant and monitor their inboxes for any unusual activity or unexpected emails sent directly to their primary address. The potential exposure of real email addresses could lead to an increase in spam or phishing attempts directed at affected users. This alleged flaw highlights the ongoing challenges in maintaining robust privacy protections in digital services.
Original source — read the full reporting at the publisher:
Read on TechCrunch