Latest in Gear

Image credit: Nathan Ingraham/Engadget

Apple will fix macOS flaw exposing portions of encrypted emails

It only happens under specific circumstances, but it's still concerning.
103 Shares
Share
Tweet
Share
Save

Sponsored Links

Nathan Ingraham/Engadget

Apple is touting its claimed privacy advantage more than ever, but that's not entirely true for Mac users at the moment. The company tells Engadget it will fix a macOS flaw that leaves portions of encrypted Mail messages unprotected. Bob Gentler has discovered that a database file used by Siri (snippets.db) was storing text from emails that were otherwise supposed to be protected -- even if you remove the private key that prevents you from reading the app in Mail. While it's not the full message, it could still pose problems if a hacker has access to your system and is trawling for sensitive info.

The vulnerability exists in at least the last four versions of macOS, ranging from Sierra to Catalina.

This isn't as glaring a flaw as it sounds. To be vulnerable, you'd have to use Mail, send encrypted messages from Mail and leave FileVault's whole-drive encryption turned off. If you rely on a third-party email client or use FileVault, you're not affected. You can also remove Mail from snippets.db by going to System Preferences > Siri > Siri Suggestions & Privacy > Mail and switching off the "learn from this app" option. It's not clear when the patch will be ready, but you won't have to stay exposed in the meantime.

Nonetheless, this isn't what you'd call confidence-inspiring. Gendler noted that he reported the issue on July 29th, and that Apple didn't respond with a solution until November 5th. That's a long time to leave email content exposed, even if the likelihood of an attack is slim in practice. It suggests that Apple still has room to speed up its responses to vulnerabilities.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
103 Shares
Share
Tweet
Share
Save

Popular on Engadget

The 2019 Engadget Holiday Gift Guide

The 2019 Engadget Holiday Gift Guide

View
Facebook is fixing a bug that turned on phone cameras

Facebook is fixing a bug that turned on phone cameras

View
Iowa asked researchers to break into a courthouse, then it arrested them

Iowa asked researchers to break into a courthouse, then it arrested them

View
'Star Wars' and 'The Mandalorian' make Disney+ worth it

'Star Wars' and 'The Mandalorian' make Disney+ worth it

View
'Star Wars' on Disney+ reignites the Han-Greedo fan drama

'Star Wars' on Disney+ reignites the Han-Greedo fan drama

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr