Unpatched Flaw in Apple’s Email Masking Feature Leaks Real Addresses

A long standing flaw in Apple's Hide My Email feature, unrepaired over a year after disclosure, lets attackers reverse engineer anonymized aliases back to users' real inboxes.

CSBadmin
2 Min Read

The Vulnerability at Hand

Apple’s Hide My Email service, a privacy tool offered through iCloud+ that creates unique relay addresses to shield users’ real inboxes during online registrations, contains an unpatched security flaw. Researcher Tyler Murphy of EasyOptOuts discovered the issue, and independent verification by 404 Media confirmed the bug remains exploitable. The vulnerability allows an attacker with limited technical skill to resolve an anonymized alias back to the user’s actual email address, breaking the fundamental privacy promise of the feature.

Impact and Disclosure Timeline

404 Media validated the flaw against one of its own hidden addresses as recently as late June, more than a year after Murphy first reported the issue to Apple with detailed reproduction steps. While the company has not deployed a fix or communicated any mitigation plan, Murphy and 404 Media have opted for a partial public disclosure: warning users without releasing specific exploitation steps to prevent widespread abuse. The vulnerability is especially concerning because it requires no elevated privileges, making it accessible to a broad range of attackers who could systematically probe or enumerate Hide My Email addresses.

Implications for Privacy Conscious Users

Hide My Email is widely used by journalists, activists, and others who rely on Apple’s ecosystem to compartmentalize their digital identities and reduce spam and tracking. This flaw undermines that trust, turning opaque aliases into weak pseudonyms that can be linked back to a primary mailbox. The risk includes targeted phishing, cross service correlation, and deanonymization of accounts tied to sensitive activities. Until Apple addresses the issue, high risk users should treat any Hide My Email alias as potentially traceable to their real identity and adjust their operational security practices accordingly.

Source: Cyber Security News

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.