Hide My Email Vulnerability Exposes Real iCloud Accounts, Still Unfixed

Published by Robert Granstone on

Hide My Email Vulnerability Exposes Real iCloud Accounts, Still Unfixed — Security

What You Need to Know

  • Hide My Email generates random forwarding addresses to hide users’ real inboxes from websites and apps.
  • Security researcher discovered attackers can reverse the feature to expose actual iCloud accounts linked to hidden addresses.
  • Apple claimed to fix the vulnerability in March, but follow-up tests showed the problem remained unfixed.
  • Apple’s planned migration to private.icloud.com domain allows services to block the feature entirely by blocking that domain.

Apple’s Hide My Email feature works by generating random forwarding addresses so websites and apps never see a user’s real inbox. The flaw now circulating in security circles inverts that entirely: attackers can apparently use a Hide My Email address to look up the actual iCloud account behind it.

Security researcher Tyler Murphy, co-founder of EasyOptOuts, brought the issue to Apple in June of last year after his team found that every Hide My Email address they tested exposed the linked real address. Apple told him the problem was fixed in March. His follow-up tests disagreed.

The timeline after that is the more pointed part of the story. Apple asked Murphy to stay quiet while it worked on a resolution, then missed its expected June fix deadline. He went public anyway. 404 Media verified the vulnerability this week using one of its own hidden addresses and is withholding technical details because the flaw remains exploitable.

Domain change adds a separate wrinkle

Apple recently announced that Hide My Email will migrate to a new private.icloud.com domain, consolidating it with Sign in with Apple under one address. That announcement drew its own criticism before this vulnerability story broke, because any service can simply block the private.icloud.com domain to prevent the feature from working at all. The two issues are separate problems, but they land in the same week and point at the same product.

Hide My Email is a paid iCloud+ feature, meaning the people most exposed are subscribers who opted in specifically for the privacy benefit. Anyone who wants to create an iCloud email address through Apple’s standard account setup is dealing with a different system, but the reputational overlap is real. A privacy tool that leaks the thing it is supposed to hide is a harder sell regardless of which domain it eventually lands on.

Source: Apple Hide My Email Privacy Flaw Can Reveal Real Email Addresses (macobserver.com)

Categories: News

Robert Granstone

Robert Granstone is the Editor-in-Chief of Guide4Mac. A veteran tech journalist with a decade of experience covering Apple, he specializes in making complex Mac and iPhone workflows accessible to everyone. Robert’s editorial philosophy is built on transparency and hands-on testing. Follow his latest insights into the Apple ecosystem here.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *