Glitch in OS X search can expose private details of Apple Mail users

Performing a Spotlight search opens email previews that load external images, even when the Mail client is asked not to do this

A glitch in the search software in Apple's OS X Yosemite can expose private details of Apple Mail users, revealing their IP address as well as other system details to spammers, phishers and online tracking companies.

The potential privacy risk appears when people use the Spotlight Search feature, which also indexes emails received with the Apple Mail email client. When searching a Mac, Spotlight shows previews of emails and when it does this, it automatically loads external images linked in HTML email.

The Spotlight preview loads those files even when users have switched off the "load remote content in messages" option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What's more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.

Opening external files can reveal private data to email senders. Senders often include so-called tracking pixels, usually a link to a one-pixel-square GIF file, in their email, which sends information back to the sender when an email is opened and the external image is loaded. Those pixels are often used by email marketeers to gather data.

The potential privacy issue was first reported by German tech news site Heise, and has been replicated by the IDG News Service by sending several emails with tracking pixels to a mail address linked to Apple Mail. A preview of the unopened emails was shown by Spotlight, which revealed to the operator of the server hosting the pixels the receiver's IP address, current OS version and some details about the browser used as well as the version of Quick Look, a program that let's users preview a document.

An IP address can reveal someone's location, although this is not always very accurate. Meanwhile, knowing more details about a user's system could potentially be interesting information for hackers.

At the moment, the only way to work around the issue seems to be to uncheck the "Mail & Messages" box for Spotlight in System Preferences. When this option is disabled no mails are returned in Spotlight's search results, and thus, no preview is shown.

We asked Apple why the "load remote content in messages" Mail privacy setting does not apply to mail shown in Spotlight searches, as users can reasonably expect it does, and asked if it is planning to fix this issue. Apple did not immediately respond.

(With additional reporting by Lucian Constantin of IDG News Service.)

Loek is Amsterdam Correspondent and covers online privacy, intellectual property, online payment issues as well as EU technology policy and regulation for the IDG News Service. Follow him on Twitter at @loekessers or email tips and comments to loek_essers@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacyAppleoperating systemssoftwareapplicationse-mailMac OS

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Loek Essers

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Bitdefender 2019

This Holiday Season, protect yourself and your loved ones with the best. Buy now for Holiday Savings!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?