Spotlight search in OS X Yosemite exposes private user details to spammers

1/10/2015

Search feature overrides widely used setting blocking remote images.

Using the Spotlight search feature in OS X Yosemite can leak IP addresses and private details to spammers and other e-mail-based scammers, according to tests independently performed by two news outlets.

The potential privacy glitch affects people who have configured the Mac Mail App to turn off the "load remote content in messages" setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail. Because the images are hosted on sites hosted by the e-mail sender, the sender can log the IP address that viewed the message, as well as the times and how often the message was viewed, and the specific e-mail addresses that received the message. Many users prefer to keep their e-mail addresses, IP addresses, and viewing habits private, a goal that's undermined by the viewing of remote images.

Like Mozilla Thunderbird, Microsoft Outlook, and many other e-mail clients, Mail allows users to block remote images for precisely this reason. But even when remote image viewing is disabled in Yosemite-based Mail app settings, the images will be opened by Spotlight, according to two recent media reports. The feature is used to search a Mac for files or e-mail containing a specified search term. When spotlight returns a preview of e-mails containing the term, it loads the images, overriding the option. Images are loaded even when the previewed message has landed in a users' junk mail folder.

The behavior was reported early Friday by German security publication Heise and later confirmed by IDG News. It's not clear if Spotlight similarly overrides image blocking in third-party apps. Apple hasn't immediately commented on the reports.

source