A glitch in the search software in Apple’s OS X Yosemite can expose private details of Apple Mail users, revealing their IP address as well as other system details to spammers, phishers and online tracking companies.
The potential privacy risk appears when people use the Spotlight Search feature, which also indexes emails received with the Apple Mail email client. When searching a Mac, Spotlight shows previews of emails and when it does this, it automatically loads external images linked in HTML email.
The Spotlight preview loads those files even when users have switched off the “load remote content in messages” option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What’s more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.
Opening external files can reveal private data to email senders. Senders often include so-called tracking pixels, usually a link to a one-pixel-square GIF file, in their email, which sends information back to the sender when an email is opened and the external image is loaded. Those pixels are often used by email marketeers to gather data.
The potential privacy issue was first reported by German tech news site Heise. A preview of the unopened emails was shown by Spotlight, which revealed to the operator of the server hosting the pixels the receiver’s IP address, current OS version and some details about the browser used as well as the version of Quick Look, a program that let’s users preview a document.
An IP address can reveal someone’s location, although this is not always very accurate. Meanwhile, knowing more details about a user’s system could potentially be interesting information for hackers.
At the moment, the only way to work around the issue seems to be to uncheck the “Mail & Messages” box for Spotlight in System Preferences. When this option is disabled no mails are returned in Spotlight’s search results, and thus, no preview is shown.
We asked Apple why the “load remote content in messages” Mail privacy setting does not apply to mail shown in Spotlight searches, as users can reasonably expect it does, and asked if it is planning to fix this issue. Apple did not immediately respond.
(With additional reporting by Lucian Constantin).