A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.
404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses.
”Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don't know why it hasn't been fixed, but we don't feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” Tyler Murphy, the
co-founder of EasyOptOuts
, which discovered and reported the issue to Apple, told 404 Media.
“Free, publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk,” Murphy added.
💡
Do you know about any other privacy issues like this? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.
Hide My Email is part of Apple’s paid iCloud+ product. It lets
users generate an anonymous email address
which they can then use to sign up to services or email people with instead of their personal email. These email addresses are often two random words and a number ending in the @
icloud.com
domain.
This can be useful for all sorts of reasons: to reduce spam; to create an account you may not want linked to your personal address and identity; and to not have your personal information held by a site that may later suffer a data breach. I personally have generated more than 400 email addresses with Hide My Email, for example.

To test the issue I generated a

… [more]