Six Colors
Six Colors

Apple, technology, and other stuff

Become a Member!

Become a Six Colors member to read exclusive posts, get our weekly podcast and regular newsletters, and much more!

Report: Security vulnerability makes Hide My Email not so anonymous

Joseph Cox at 404Media reports on a hole in Hide My Email’s security:

A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.

This information originates with Tyler Murphy, who runs EasyOptOuts, a service that aims to help you remove your private information from the web. Cox says he confirmed the issue by creating a new Hide My Email address and providing it to Murphy, who returned the associated private iCloud email in about five minutes.

According to Murphy, he reported the vulnerability—the full details of which neither he nor 404 are disclosing—to Apple a year ago, and as of the end of May, the company said a security update was due “in the coming weeks”, though it still had not been patched as of the story’s publication.

While it’s hard to determine without the exact details how serious this vulnerability is, Murphy and Cox’s demo and Apple’s response do suggest that it is of concern for those relying on the feature, which is part of Apple’s paid iCloud+ service.

The company recently announced that it would be shifting all new anonymous addresses for both Hide My Email and Sign in with Apple to a single subdomain, a move that some critics say would make it easier for services to block using those addresses specifically. Previously, that would have required blocking all icloud.com addresses, which would obviously be untenable.


Search Six Colors