Spotlight, the desktop search engine for OS X computers, will ignore privacy settings in Apple's Mail client when showing messages in its search results.
The programming booboo means pictures and possibly other files linked to in HTML emails will automatically show up even if you've told Apple's supplied client to not load remote content.
This means tiny, transparent images hidden in messages by spammers and message-tracking software will be fetched, confirming that your email address is working and you're able to pick up e-missives. It will also, via the HTTP request sent by OS X to the server hosting the image, reveal your public IP address, which is not good news if the purpose of the hidden picture is to help track you down.
It also means images that exploit vulnerabilities in Apple's operating system can be accidentally loaded and triggered from a desktop search even if you've told your mail client to not automatically fetch embedded files.
Using OS X Yosemite, The Register was able to trivially confirm a report by Heise.de is true: configure the Mail app to not load remote content via its preferences, then send a message with a linked picture to your desktop inbox from Gmail, then once it's received, press Apple-Spacebar to open Spotlight and search for that message. A preview of the email appears with the linked-to content shown.
Apple did not respond to a request for comment on the matter. El Reg thinks this not a major vulnerability, but certainly worth flagging up for the privacy conscious.
Disable email viewing in Spotlight: Open System Preferences, then navigate to Spotlight and switch off "Mail and Messages"
Until Apple takes a look at the problem, Mac users are best advised to disable the searching of mail and messages content in Spotlight through OS X Preferences. Spotlight was previously caught leaking everything you search for to Apple. ®