A flaw in the way that Yosemite, Apple's latest version of OS X, handles email searches could compromise user privacy, two media reports say.
The German tech website Heise Online and the English-language IDG News Service report that the Spotlight Search function in Yosemite loads external images in previews of Apple Mail messages in search results — even if users have opted to block those images when reading messages in Apple Mail.
Spammers and marketers often send marketing emails with links that pull images or other content from external websites, allowing the senders to see the recipient's Internet Protocol (IP) address, and, by inference, whether the recipient has opened the email message. The loaded images are sometimes only a single pixel that blends into the background of the message, making it invisible to the recipient.
For these reasons, privacy-conscious email users often disable auto-loading of external content. The latest versions of Microsoft's Outlook email software block external content in messages by default.
Nonetheless, a Heise reader who'd deselected "load remote content in messages" in his Apple Mail settings discovered that remote content loaded in emails that popped up in his Spotlight Search results.
Heise ran its own tests and found that the content request sent to the external server by Spotlight Search not only revealed the recipient's IP address, but also the exact version numbers of OS X and QuickTime, Apple's multimedia viewer, that the recipient's Mac was running — information that could be useful to someone planning a targeted attack.
IDG News Service discovered that Spotlight Search even automatically loaded images in unopened spam messages that had been routed by Apple Mail directly to the Junk folder, exposing recipients' data to spammers whose emails would otherwise never be read.
Yosemite users can mitigate this flaw by going into System Preferences and removing "Mail & Messages" from the types of files indexed by Spotlight Search. Alternatively, the editors at Heise's Mac & i blog have created a plug-in, not authorized by Apple, that disables loading of external content in Spotlight Search results.
Apple did not immediately respond to a request for comment.