Software & SaaS

Apple Hide My Email Bug Exposes Real User Addresses, Researcher Warns

A bug in Apple's Hide My Email feature may be exposing users' real email addresses, according to researcher Tyler Murphy. Apple was reportedly warned over a year ago about the vulnerability.

Christopher Clark
Christopher Clark covers software & saas for Techawave.
2 min read0 views
Apple Hide My Email Bug Exposes Real User Addresses, Researcher Warns
Share

A critical vulnerability in Apple's privacy-focused Hide My Email feature may be exposing users' actual email addresses, potentially undermining online anonymity, new research suggests. The flaw, detailed by 404 Media after verification, could allow malicious actors to uncover the real email addresses linked to the temporary ones generated by the service. Researcher Tyler Murphy, who first identified the bug, stated that Apple was alerted to the issue more than a year ago, expressing surprise at the lack of a fix.

Murphy, co-founder of the data-removal service EasyOptOuts, conducted limited tests with volunteers, reporting that 100% of the Hide My Email addresses tested were exploitable. He expressed concern that publicly available people-search sites could easily link exposed email addresses to other personal information, putting users who rely on the feature for security at risk. Details of the specific vulnerability have not been publicly disclosed to prevent further exploitation.

Privacy Feature Under Scrutiny

Apple has long positioned user privacy as a cornerstone of its brand, making this potential flaw particularly concerning. The Hide My Email feature, part of Apple's iCloud+ subscription, generates unique, random email addresses that forward to the user's personal inbox. This is intended to shield users from spam, tracking, and potential data breaches by obscuring their primary email address when signing up for services or sharing an email online. The reported bug, however, appears to negate this protective layer.

This is not the first time Apple's privacy promises have come under scrutiny. In 2022, the company faced legal challenges following reports that certain iPhone apps continued to transmit analytics data to Apple even when users had opted out via iPhone Analytics privacy settings. More recently, in 2023, researchers found another Apple privacy feature, designed to anonymize Wi-Fi connections through randomized MAC addresses, was reportedly failing and exposing users' true MAC addresses instead. Such instances raise questions about the efficacy and implementation of Apple's various privacy safeguards.

While Apple has not yet publicly commented on the specific Hide My Email bug, the company has a history of addressing security and privacy concerns, albeit sometimes after significant public pressure or legal action. The potential impact of this vulnerability could be widespread, as Hide My Email is used by a large number of iCloud+ subscribers. Experts emphasize the importance of prompt disclosure and a swift resolution from Apple to restore user confidence in its privacy technologies. The ongoing debate highlights the challenges in maintaining robust online privacy in an increasingly interconnected digital world, where even seemingly secure features can harbor unexpected weaknesses.

Share