“Hide My Email” Vulnerability Exposes Real Addresses
At 404 Media, Joseph Cox writes (paywalled):
A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.
404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses.
Hide My Email, part of Apple’s iCloud+ subscription, generates random @icloud.com addresses that forward to your real inbox—letting you sign up for services without revealing your actual email address. I seldom use Hide My Email because my email address is already all over the Internet, but this seems like a “you had one job” situation. It’s a particularly bad look for Apple to have ignored this reported vulnerability for over a year, and I suspect the company will fix it soon due to all the negative press now that it’s public. In other (possibly related?) Hide My Email news, TechCrunch recently reported that Apple plans to change the generated email addresses to the @private.icloud.com domain, which would make it trivial for apps and websites to identify and block Hide My Email addresses.
Start the discussion in the TidBITS Discourse forum