Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable - MacRumors
Skip to Content

Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

There's a vulnerability in the macOS version of the Apple Mail app that leaves some of the text of encrypted emails unencrypted, according to a report from IT specialist Bob Gendler (via The Verge).

According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

mailencryptionissue

In this email, Gendler demonstrates that the private key has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.

Gendler initially discovered the bug on July 29 and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina and earlier versions of macOS dating back to macOS Sierra.

Let me say that again... The snippets.db database is storing encrypted Apple Mail messages...completely, totally, fully -- UNENCRYPTED -- readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.

Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, and provided Gendler with instructions on preventing data from being stored by the snippets database.

This issue affects a limited number of people in practice, and is not something that macOS users should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It does not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple's system files to look and have physical access to a machine.

Still, as Gendler points out, this particular vulnerability "brings up the question of what else is tracked and potentially improperly stored without you realizing it."

Those concerned about this issue can prevent data from being collected in the snippets.db database by opening up System Preferences, choosing the ‌Siri‌ section, selecting ‌Siri‌ Suggestions & Privacy, choosing Mail and then turning off "Learn from this App." This will stop new emails from being added to snippets.db but won't remove those that have already been included.

Apple told The Verge that customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in macOS Catalina. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability can be read in Gendler's Medium article.

Popular Stories

Apple Acquires Award Winning App Play Feature

Apple Acquires Award-Winning App 'Play'

Monday June 29, 2026 7:39 am PDT by
In February, Apple notified the European Commission that it would be acquiring certain assets from and have the right to hire certain employees from Rabbit 3 Times, the company behind the award-winning app design tool Play. The notification was published on the European Commission's website this week, following a four-month waiting period. Play was a Mac and iPhone app that allowed designers ...
iPhone 18 Pro Deep Red Feature

Apple 'Concerned' Over iPhone 18 Pro Data Leak From Supplier Tata

Monday June 29, 2026 11:46 am PDT by
Apple is "concerned" about a recent data leak from Tata Electronics, one of its manufacturing partners in India, reports Reuters. Tata Electronics was the target of a cyberattack, with confidential Apple documents stolen and shared on the dark web. Hackers were able to steal information about the iPhone 18 Pro and iPhone 18 Pro Max, including a list of suppliers, parts, and images of the...
series 10 apple watch titanium digital crown

Report: Apple Watch Redesign Coming Next Year With New Band System

Tuesday June 30, 2026 8:45 am PDT by
A "major overhaul" of the Apple Watch's design is due to arrive next year with a new system for connecting bands, according to a known Weibo leaker. In a set of recent posts, the leaker known as "Instant Digital" linked the new claim to older rumors about an "Apple Watch X" model, which was said to introduce a fresh design and break compatibility with the existing watch band system. Citing...

Top Rated Comments

87 months ago

Apple has so many bugs now. What a shame. They’re all marketing now
Don't worry Tim's on the case...

Season 2 of The Morning Show will feature 20% more Apple logos.
Score: 17 Votes (Like | Disagree)
Dovydas Avatar
87 months ago

This is overblown. S/MIME = HTTPS for e-mail. Encryped webpages are cached and indexed all the time.

Bob Gendler is acting like S/MIME is some super-high security protocol where it isn't. It doesn't protect "Secret or top-secret information".
The point is if you do something do it properly. What else is overblown by your definition? It is just bad attitude to have period.
Score: 14 Votes (Like | Disagree)
87 months ago

Who doesn't have FileVault turned on???
Me.
Score: 12 Votes (Like | Disagree)
SDJim Avatar
87 months ago
Who doesn't have FileVault turned on???
Score: 9 Votes (Like | Disagree)
jasnw Avatar
87 months ago
Given Apple's track record on fixing Mail problems I'd not expect this to be fixed until, well, ever?
Score: 6 Votes (Like | Disagree)
87 months ago

You missed my point. As I said, we index and cache encrypted webpages all the time for user features.
This is a false equivalence. Unless you actually break the end-to-end encryption (e.g. by forcing the user to accept a new root certificate), you can only index encrypted web page content that is accessible without prior authentication. Encrypted email should *never* be readable by anyone but the addressee, neither in transit nor at rest.

This is absolutely a big deal in corporate environments. Full disc encryption is not a replacement, since e.g. it might be decryptable to admins who should not have access to another employee's protected emails.
Score: 6 Votes (Like | Disagree)