OS X search tool Spotlight runs roughshod over Mail privacy settings

And we reveal how to fix that

20 Reg comments Got Tips?

Spotlight, the desktop search engine for OS X computers, will ignore privacy settings in Apple's Mail client when showing messages in its search results.

The programming booboo means pictures and possibly other files linked to in HTML emails will automatically show up even if you've told Apple's supplied client to not load remote content.

This means tiny, transparent images hidden in messages by spammers and message-tracking software will be fetched, confirming that your email address is working and you're able to pick up e-missives. It will also, via the HTTP request sent by OS X to the server hosting the image, reveal your public IP address, which is not good news if the purpose of the hidden picture is to help track you down.

It also means images that exploit vulnerabilities in Apple's operating system can be accidentally loaded and triggered from a desktop search even if you've told your mail client to not automatically fetch embedded files.

Using OS X Yosemite, The Register was able to trivially confirm a report by Heise.de is true: configure the Mail app to not load remote content via its preferences, then send a message with a linked picture to your desktop inbox from Gmail, then once it's received, press Apple-Spacebar to open Spotlight and search for that message. A preview of the email appears with the linked-to content shown.

Apple did not respond to a request for comment on the matter. El Reg thinks this not a major vulnerability, but certainly worth flagging up for the privacy conscious.

Disable email viewing in Spotlight: Open System Preferences, then navigate to Spotlight and switch off "Mail and Messages"

Until Apple takes a look at the problem, Mac users are best advised to disable the searching of mail and messages content in Spotlight through OS X Preferences. Spotlight was previously caught leaking everything you search for to Apple. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

When you see PWA, Microsoft and Google want you to think Programs With Attitude: Web app release tool tweaked

More native applications we smoke, yo, our rep gets bigger

Swift tailored for Windows no longer folklore: Apple's programming language available for Microsoft OS

The Redmond-aligned can try the Cupertino-spawned lingo thanks to a Googler's intervention

Sure is wild that Apple, Google app store monopolies are way worse than what Windows got up to, sniffs Microsoft prez

Analysis 'Far more formidable gates to access to other applications than anything that existed in the industry 20 years ago'

Apple-Google COVID-19 virus contact-tracing API to bar location-tracking access

Renamed 'ExposureNotification' will only only one app per nation

Microsoft will release a web browser for Linux next month. Repeat, Microsoft will release a browser for Linux – and it uses Google's technology

Ignite This means Linus Torvalds has definitely won, doesn't it?

Unexpected risks of using Apple ID: 'Sign in with Apple' will be blocked for Epic Games

Updated Games dev pleads with users to set up a password before they get locked out

Leaked benchmarks from developer kit for Apple's home-baked silicon appear to give Microsoft a run for its money

Before you get too excited 1) They're benchmarks 2) New consumer Arm-based Macs might use something else

Apple and Google tweak key bits of contact-tracing privacy plan

As European nations back decentralised plan that leaves data on the device until users call in sick

Biting the hand that feeds IT © 1998–2020