Glitch on OSX Spotlight could expose privacy and system details of Apple Mail users

Published: January 9, 2015 2:16 PM /


Spotlight Search

A glitch on the Spotlight Search feature of Apple OSX Yosemite has been found. Firstly reported by the German tech website Heise, the glitch can possibly represent a significant privacy issue for Apple Mail users since it can potentially reveal IP and system details to spammers, phishers and the like.

Spotlight is a feature on Apple Operative Systems that allows to search for any content on the machine, including emails received via the Apple Mail client. When searching with Spotlight, it automatically shows previews of the mails and loads the images linked in those. Problem is, Spotlight also indexes mails that ended in the junk folders. That means that spotlight will automatically load images present in junk emails, including ones with so called "tracking pixels", one pixel wide gif images that send information back to the sender as soon as the image is loaded.

This spotlight glitch can possibly reveal to the email sender details like IP address, OS version, details on the browser used and more system informations of the sort. This kind of information could be used by hackers to find vulnerabilities in your system to take advantage of.

As of now, Spotlight previews and loads these images even if the "load remote content in messages" option is switched off in the settings, which is strange. This means that the only current workaround for this problem, is switching off the option to show emails in the spotlight search, by unchecking the "Mail and Messages" option for Spotlight in the System preferences. This will impede Spotlight to index emails in its search. No mail indexed, no email previewed, no image loaded, no risk. This will probably an inconvenience for many people, but until the problem is fixed, it's the only way to be completely safe in that regard.

We reached out to Apple for comment, asking them when and how they are planning to fix this problem and we'll update this article as soon as we receive a response.

What are your thoughts about this glitch? Do you think the privacy risk is substantiated? Let us know in the comments.


Have a tip, or want to point out something we missed? e-mail us at [email protected] or join us on Discord!