New in OS X: Get MacRumors Push Notifications on your Mac

Resubscribe Now Close

OS X Spotlight Glitch Exposes IP Addresses and Other System Details to Spammers

A privacy glitch in Spotlight search for OS X may leak private details, including IP addresses, to email spammers. The flaw was first reported by German tech news site Heise and replicated in tests performed by IDG News Service.

spotlight-search
The issue affects OS X mail users who have followed conventional security recommendations to turn off the "load remote content in messages" option in the Mail app. This setting prevents the loading of remote content such as images, including "tracking pixels" that are used by spammers to harvest information when people open an email.

A glitch arises when OS X Mail users utilize Spotlight search in OS X, which includes emails in the search results. Spotlight ignores the remote content block preference from Mail and loads the remote email files as part of the search process. Once Spotlight loads one of these tracking pixels, spammers can glean details such as the IP address, OS X version, browser details, and the version of Quick Look being used.
The Spotlight preview loads those files even when users have switched off the "load remote content in messages" option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What's more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.
Currently, the only way to block this information leak is to block Spotlight from including emails in search results entirely by opening System Preferences and unchecking the "Mail & Messages" option for Spotlight. Apple has yet to comment on this Spotlight privacy glitch.

Tag: Spotlight


Top Rated Comments

(View all)

18 months ago

Oh for goodness sake, don't let them know my version is Yosemite and what browser I'm using! And, *gasp*, the version of QUICK LOOK?! This is an outrage.

/s


I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.
Rating: 46 Votes
18 months ago
Oh for goodness sake, don't let them know my version is Yosemite and what browser I'm using! And, *gasp*, the version of QUICK LOOK?! This is an outrage.

/s
Rating: 11 Votes
18 months ago
Well thanks for the heads up, I've unchecked the setting in Spotlight.
Rating: 8 Votes
18 months ago
Another reason not to use the crappy mail app. Now I know why I have always stuck to using the webmail interface.

Will Apple ever get their act together and overhaul the damn app and actually make it usable?
Rating: 7 Votes
18 months ago
Yet another reason why Little Snitch is my favorite tech tattletale.
Rating: 7 Votes
18 months ago
As I've said before in other threads. Regardless of whether or not this is "harmful" to some or all - if there's a security issue and it's known, it should be fixed. End of story. No judgement. Simple as that.
Rating: 7 Votes
18 months ago
Am I the only one that rarely uses Spotlight? Don't get me wrong, I love spotlight especially the revamped one in 10.10. However, I just don't think about Spotlight when launching an application or searching for files. I mostly just hit the Launchpad shortcut on my keyboard and use the terminal for searching for/in files.

I guess I just need to force myself to use it more often and hopefully after a while I'll launch more by reflex.
Rating: 6 Votes
18 months ago
I'm going to go back to using Alfred I think.

This new Spotlight has been rubbish for me - it seems to ignore the ordering I have for results (I want bookmarks top) and if I open the wrong file via Spotlight search, it remembers it so when I search again, even though the file I opened doesn't explicitly match my search and another file does, it lists the wrong file at the top. It shouldn't remember it just because I did it once!
Rating: 6 Votes
18 months ago

Another reason not to use the crappy mail app. Now I know why I have always stuck to using the webmail interface.

Will Apple ever get their act together and overhaul the damn app and actually make it usable?


You're comment is hilarious! LOL Webmail like Gmail and Yahoo is often a worse offender and gives all kinds of info away. try again HAHAHA!
Rating: 6 Votes
18 months ago

I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.


That is actually very untrue. The majority of the spam computers that send out those spam emails have no way of monitoring your specific email account. They don't track if the email is valid, either. If they get a bounce back saying the email doesn't exist, they still continue to send repeated emails. They also aren't going to waste the time calculating "if you opened your email and read the ad", they're going to send you continual ads regardless.

Scam pixels are often used just for overall statistics, like "20% of the people we send ads to are in this part of the world using this version of OS X".

This would also require that a DIFFERENT version of the spam pixel is loaded for each email, so they could uniquely target each person they send the email to. It's much more cost-efficient to just send out mass emails, rather than track each of the millions of emails individually.
Rating: 6 Votes

[ Read All Comments ]