Apple 'Hide My Email' vulnerability reveals peoples' real email addresses (easyoptouts.com)

104 points by sashk 8 hours ago

10 comments:

by rubatuga 29 minutes ago

Is it based on mail undeliverable errors? Or attempts to login using IMAP or SMTP with it? Or is it exposed during the SMTP protocol?

by hunter2_ 26 minutes ago

As someone who doesn't rely on this feature, I'd love to know now as well, but perhaps the etiquette in public would be to align ourselves with:

> we will not discuss or disclose the details of the exploits until they're fixed.

But if there's a public forum where the cat's already out of the bag, then game on. Perhaps this:

https://www.reddit.com/r/apple/comments/1ukilw1/apple_hide_m...

by rvnx 3 minutes ago

In the meantime, you can subscribe to their product that removes your real e-mail address from data brokers.

https://www.privacyguides.org/articles/2025/02/03/easyoptout...

    EasyOptOuts will send your personal information to data brokers regardless of whether they have your information in the first place, so they can remove it.
by Dibby053 19 minutes ago

My guess would be it has nothing to do with email itself. Maybe it's some iCloud API that accepts obfuscated emails but returns the original email in the response, or an ID which can be used to retrieve the iCloud email from another API endpoint. Could be as simple as an "add contact/friend" feature in some Apple product (like a mail client, or a file sharing service) that resolves the obfuscated email to the original iCloud account.

by fsuts 20 minutes ago

I think you should formally write to Apple and give notice of 30 days to contact you or you will reveal it.

Send it to the USA media and regulator too

by jijijijij 12 minutes ago

I think "real email" address is underselling it, since that's commonly the apple-ID, which is the gateway to some people's whole digital existence. Not to mention the fact, you tend to use hidemyemail in particular for services you don't want any identity leaked to. The "real email" may contain your legal name already.

by lode 3 hours ago
by FabHK 41 minutes ago

That's disappointing, both that the vulnerability exists in the first place, and that Apple takes over a year to not even fix it.

by tjames7000 3 hours ago

We put up a timeline of the disclosure here: https://easyoptouts.com/guides/apple-hide-my-email-is-leakin...

by dang an hour ago

Thanks! We'll make that the main URL and put the submitted link in the toptext.

Data from: Hacker News, provided by Hacker News (unofficial) API