Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

by

There's a vulnerability in the macOS version of the Apple Mail app that leaves some of the text of encrypted emails unencrypted, according to a report from IT specialist Bob Gendler (via The Verge).

According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

mailencryptionissue

In this email, Gendler demonstrates that the private key has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.

Gendler initially discovered the bug on July 29 and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina and earlier versions of macOS dating back to macOS Sierra.

Let me say that again... The snippets.db database is storing encrypted Apple Mail messages...completely, totally, fully -- UNENCRYPTED -- readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.

Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, and provided Gendler with instructions on preventing data from being stored by the snippets database.

This issue affects a limited number of people in practice, and is not something that macOS users should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It does not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple's system files to look and have physical access to a machine.

Still, as Gendler points out, this particular vulnerability "brings up the question of what else is tracked and potentially improperly stored without you realizing it."

Those concerned about this issue can prevent data from being collected in the snippets.db database by opening up System Preferences, choosing the ‌Siri‌ section, selecting ‌Siri‌ Suggestions & Privacy, choosing Mail and then turning off "Learn from this App." This will stop new emails from being added to snippets.db but won't remove those that have already been included.

Apple told The Verge that customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in macOS Catalina. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability can be read in Gendler's Medium article.

Tag: Apple Mail

Popular Stories

Apple Glass

Apple Smart Glasses: Everything We Know So Far

Wednesday May 21, 2025 8:21 am PDT by
Google recently made waves by showcasing a set of lightweight smart glasses featuring deep Gemini integration and an optional in-lens display. The demo has reignited interest in Apple's own smart glasses project, which has been the subject of rumors for nearly a decade. Here's a recap of where things stand. Current Development Status Apple is actively working on new chips specifically...
Read Full Article55 comments
Apple Glasses Purple Feature

Apple Smart Glasses Launching in 2026

Thursday May 22, 2025 12:22 pm PDT by
Apple is planning to launch a set of smart glasses by the end of 2026, reports Bloomberg. The glasses will be comparable to the Meta Ray-Bans and the Android XR glasses that Google showed off earlier this week. Apple's smart glasses are expected to include cameras, microphones, and AI capabilities, much like the Meta Ray-Bans. The glasses will be able to take photos, record video, provide...
Read Full Article140 comments
Apple CarPlay Ultra instrument cluster themes 01

Apple's CarPlay Ultra Is Here – Does Your iPhone Support It?

Thursday May 15, 2025 5:17 am PDT by
Apple's recently announced CarPlay Ultra promises a deeply integrated in-car experience, but not all iPhone users will be able to take advantage of the new feature. According to Apple's press release, CarPlay Ultra requires an iPhone 12 or later running iOS 18.5 or later. This means if you're using an iPhone 11, iPhone XR, or any older model, you'll need to upgrade your device to access...
Read Full Article
maxresdefault

OpenAI Buys Jony Ive's AI Startup to 'Completely Reimagine What It Means to Use a Computer'

Wednesday May 21, 2025 10:27 am PDT by
OpenAI is acquiring io, the hardware-based AI startup co-created by Jony Ive, OpenAI announced today. Ive has been working with OpenAI CEO Sam Altman on io for two years, and the duo expects to develop a family of AI devices. In a video shared by OpenAI, Altman and Ive outlined their partnership and what they expect to create as a result of the merger. "I have a growing sense that everything ...
Read Full Article436 comments
WWDC 2025 Banner

Apple Announces WWDC 2025 Schedule, Including Keynote Time

Tuesday May 20, 2025 8:13 am PDT by
Apple today announced a more detailed schedule for its annual developers conference WWDC, which runs from June 9 through June 13. The schedule confirms that Apple's keynote will begin on Monday, June 9 at 10 a.m. Pacific Time, with a live stream to be available on Apple.com, in the Apple TV app, and on YouTube. During the keynote, Apple is expected to announce iOS 19, iPadOS 19, macOS 16,...
Read Full Article43 comments
iPod shuffle generations

Kuo: Jony Ive's Futuristic OpenAI Device Like a Neck-Worn iPod Shuffle

Thursday May 22, 2025 8:05 am PDT by
The big news in the technology world this week is that ChatGPT maker OpenAI is working more closely with Apple's former design chief Jony Ive on a futuristic AI device. The company is remaining tight lipped about the device, but Apple supply chain analyst Ming-Chi Kuo has shared some alleged details about its design. In a social media post today, Kuo said the device will be "slightly larger" ...
Read Full Article192 comments
macOS 16 visionOS Inspired Feature 1

macOS 16: Everything We Know So Far

Tuesday May 20, 2025 7:31 am PDT by
The Worldwide Developers Conference (WWDC), Apple's annual developer and software-oriented event, is less than three weeks away. We haven't heard a great deal about macOS 16 ahead of its announcement this year, so we could be in for some major surprises when June 9 rolls around. Here's what we know so far about the next major update to Apple's Mac operating system. macOS 16 Name? Every year ...
Read Full Article103 comments

Top Rated Comments

Khedron Avatar
Khedron
72 months ago

Apple has so many bugs now. What a shame. They’re all marketing now
Don't worry Tim's on the case...

Season 2 of The Morning Show will feature 20% more Apple logos.
Score: 17 Votes (Like | Disagree)
Dovydas Avatar
Dovydas
72 months ago

This is overblown. S/MIME = HTTPS for e-mail. Encryped webpages are cached and indexed all the time.

Bob Gendler is acting like S/MIME is some super-high security protocol where it isn't. It doesn't protect "Secret or top-secret information".
The point is if you do something do it properly. What else is overblown by your definition? It is just bad attitude to have period.
Score: 14 Votes (Like | Disagree)
dickie001x Avatar
dickie001x
72 months ago

Who doesn't have FileVault turned on???
Me.
Score: 12 Votes (Like | Disagree)
SDJim Avatar
SDJim
72 months ago
Who doesn't have FileVault turned on???
Score: 9 Votes (Like | Disagree)
Rigby Avatar
Rigby
72 months ago

You missed my point. As I said, we index and cache encrypted webpages all the time for user features.
This is a false equivalence. Unless you actually break the end-to-end encryption (e.g. by forcing the user to accept a new root certificate), you can only index encrypted web page content that is accessible without prior authentication. Encrypted email should *never* be readable by anyone but the addressee, neither in transit nor at rest.

This is absolutely a big deal in corporate environments. Full disc encryption is not a replacement, since e.g. it might be decryptable to admins who should not have access to another employee's protected emails.
Score: 6 Votes (Like | Disagree)
jasnw Avatar
jasnw
72 months ago
Given Apple's track record on fixing Mail problems I'd not expect this to be fixed until, well, ever?
Score: 6 Votes (Like | Disagree)
Read All Comments