Snippet: Spotlight Search in OS X Yosemite Exposes Data to Spammers ☇

Shared on January 9, 2015

Dan Goodin for Ars Technica:

The potential privacy glitch affects people who have configured the Mac Mail App to turn off the “load remote content in messages” setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail. Because the images are hosted on sites hosted by the e-mail sender, the sender can log the IP address that viewed the message, as well as the times and how often the message was viewed, and the specific e-mail addresses that received the message. Many users prefer to keep their e-mail addresses, IP addresses, and viewing habits private, a goal that’s undermined by the viewing of remote images.

Like Mozilla Thunderbird, Microsoft Outlook, and many other e-mail clients, Mail allows users to block remote images for precisely this reason. But even when remote image viewing is disabled in Yosemite-based Mail app settings, the images will be opened by Spotlight, according to two recent media reports. The feature is used to search a Mac for files or e-mail containing a specified search term. When spotlight returns a preview of e-mails containing the term, it loads the images, overriding the option. Images are loaded even when the previewed message has landed in a users’ junk mail folder.

Although this is a very specific use case, I hope Apple gets it patched sooner than later. Until then, I removed Mail & Messages from search results on Spotlight (uncheck it under the Spotlight preferences).

Snippets are posts that share a linked item with a bit of commentary.