OS X search tool Spotlight runs roughshod over Mail privacy settings

And we reveal how to fix that


Spotlight, the desktop search engine for OS X computers, will ignore privacy settings in Apple's Mail client when showing messages in its search results.

The programming booboo means pictures and possibly other files linked to in HTML emails will automatically show up even if you've told Apple's supplied client to not load remote content.

This means tiny, transparent images hidden in messages by spammers and message-tracking software will be fetched, confirming that your email address is working and you're able to pick up e-missives. It will also, via the HTTP request sent by OS X to the server hosting the image, reveal your public IP address, which is not good news if the purpose of the hidden picture is to help track you down.

It also means images that exploit vulnerabilities in Apple's operating system can be accidentally loaded and triggered from a desktop search even if you've told your mail client to not automatically fetch embedded files.

Using OS X Yosemite, The Register was able to trivially confirm a report by Heise.de is true: configure the Mail app to not load remote content via its preferences, then send a message with a linked picture to your desktop inbox from Gmail, then once it's received, press Apple-Spacebar to open Spotlight and search for that message. A preview of the email appears with the linked-to content shown.

Apple did not respond to a request for comment on the matter. El Reg thinks this not a major vulnerability, but certainly worth flagging up for the privacy conscious.

Disable email viewing in Spotlight: Open System Preferences, then navigate to Spotlight and switch off "Mail and Messages"

Until Apple takes a look at the problem, Mac users are best advised to disable the searching of mail and messages content in Spotlight through OS X Preferences. Spotlight was previously caught leaking everything you search for to Apple. ®

Similar topics


Other stories you might like

  • Software Freedom Conservancy sues TV maker Vizio for GPL infringement

    Companies using GPL software should meet their obligations, lawsuit says

    The Software Freedom Conservancy (SFC), a non-profit which supports and defends free software, has taken legal action against Californian TV manufacturer Vizio Inc, claiming "repeated failures to fulfill even the basic requirements of the General Public License (GPL)."

    Member projects of the SFC include the Debian Copyright Aggregation Project, BusyBox, Git, GPL Compliance Project for Linux Developers, Homebrew, Mercurial, OpenWrt, phpMyAdmin, QEMU, Samba, Selenium, Wine, and many more.

    The GPL Compliance Project is described as "comprised of copyright holders in the kernel, Linux, who have contributed to Linux under its license, the GPLv2. These copyright holders have formally asked Conservancy to engage in compliance efforts for their copyrights in the Linux kernel."

    Continue reading
  • DRAM, it stacks up: SK hynix rolls out 819GB/s HBM3 tech

    Kit using the chips to appear next year at the earliest

    Korean DRAM fabber SK hynix has developed an HBM3 DRAM chip operating at 819GB/sec.

    HBM3 (High Bandwidth Memory 3) is a third generation of the HBM architecture which stacks DRAM chips one above another, connects them by vertical current-carrying holes called Through Silicon Vias (TSVs) to a base interposer board, via connecting micro-bumps, upon which is fastened a processor that accesses the data in the DRAM chip faster than it would through the traditional CPU socket interface.

    Seon-yong Cha, SK hynix's senior vice president for DRAM development, said: "Since its launch of the world's first HBM DRAM, SK hynix has succeeded in developing the industry's first HBM3 after leading the HBM2E market. We will continue our efforts to solidify our leadership in the premium memory market."

    Continue reading
  • UK's ARIA innovation body 'hasn't even begun to happen' says former research lead

    DARPA imitator not doing much after two years of Johnson government

    Updated The UK's efforts to copy US government and military innovation outfit DARPA are stalling, according to a leading figure in research and development.

    Appearing before the Science and Technology Committee, Sir John Kingman, former chair of UK Research and Innovation, told MPs this morning that ARIA – the Advanced Research and Invention Agency – was a good example of departmental research spending that could be cut, sidelined or delayed.

    "A very high-profile example would be ARIA, which has been this big plan for the Boris Johnson government, and yet here we are a few years into the Johnson government and it still hasn't even begun to happen," he told MPs.

    Continue reading

Biting the hand that feeds IT © 1998–2021