Skip to content
Thoughtful, detailed coverage of everything Apple for 36 years
and the TidBITS Content Network for Apple professionals
No comments

“Hide My Email” Vulnerability Exposes Real Addresses

At 404 Media, Joseph Cox writes (paywalled):

A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.

404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses.

Hide My Email, part of Apple’s iCloud+ subscription, generates random @icloud.com addresses that forward to your real inbox—letting you sign up for services without revealing your actual email address. I seldom use Hide My Email because my email address is already all over the Internet, but this seems like a “you had one job” situation. It’s a particularly bad look for Apple to have ignored this reported vulnerability for over a year, and I suspect the company will fix it soon due to all the negative press now that it’s public. In other (possibly related?) Hide My Email news, TechCrunch recently reported that Apple plans to change the generated email addresses to the @private.icloud.com domain, which would make it trivial for apps and websites to identify and block Hide My Email addresses.

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 36 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About “Hide My Email” Vulnerability Exposes Real Addresses

Start the discussion in the TidBITS Discourse forum