Apple Fixed macOS Mail Vulnerability That Exposed Text of Encrypted Emails in macOS Catalina 10.15.3

Apple in macOS 10.15.3 quietly addressed a bug that left some of the text of encrypted emails unencrypted, reports The Verge.

This particular vulnerability was publicized back in November, after IT specialist Bob Gendler found that the snippets.db database file used by a Siri feature to offer up contact suggestions stored encrypted emails in an unencrypted format.

A demonstration from Gendler showing the bug. The image features a private key that has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.

Gendler reported the bug to Apple in July, but shared details in November after Apple failed to fix it. After the bug was announced to the public, Apple promised that a fix was coming in a future version of macOS.

Only a small number of people were affected by the bug because it required a very specific set of steps to reproduce. It required customers to be using macOS and the Apple Mail app to send encrypted emails. It did not impact those who had FileVault turned on, and a person who wanted to access the information would have also needed to know where in Apple's system files to look and have had physical access to a machine.

Apple didn't mention the bug fix when macOS Catalina 10.15.3 was released last week, but the update does indeed appear address the issue, Gendler told The Verge.

According to Gendler, ‌macOS Catalina‌ 10.15.3 prevents encrypted emails from appearing in Spotlight searches, and the database file that used to include encrypted emails no longer does so.

Top Rated Comments

(View all)
Avatar
2 weeks ago


This must be untrue, these things only happen to evil Google, Microsoft or Android.

Can you find me a quote of anyone saying this?
Rating: 1 Votes
Avatar
2 weeks ago
Narwhals always have a point.
Rating: 1 Votes
Avatar
2 weeks ago


Just read yesterday's publication (or from two days ago) regarding a vulnerability in Google, you will find plenty of those messages.

Then it should be easy to quote one.

“Find the publication in the last few days” isn’t a proper citation. I’ve no idea what you’re talking about.
Rating: 1 Votes
Avatar
2 weeks ago
This must be untrue, these things only happen to evil Google, Microsoft or Android.
Rating: 1 Votes
Avatar
2 weeks ago
me:

are usually explained.

you:

Wrong. There's nothing matching this issue in the announcements.

I’m thinking you may not understand the word “usually” or maybe the word “wrong”. These kinds of issues usually do get some explanation in the security announcement emails from Apple. I get them most of the times that new point releases come out from Apple - often I am alerted to new point releases by the arrival of those messages. So I stand by my statement - it’s not wrong. If they haven’t included it in the mail this time, that doesn't negate the fact that they usually do.
Rating: -1 Votes
[ Read All Comments ]