Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

[MacRumors]

There's a vulnerability in the macOS version of the Apple Mail app that leaves some of the text of encrypted emails unencrypted, according to a report from IT specialist Bob Gendler (via The Verge).

According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

In this email, Gendler demonstrates that the private key has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.​

Gendler initially discovered the bug on July 29 and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina and earlier versions of macOS dating back to macOS Sierra.

Let me say that again... The snippets.db database is storing encrypted Apple Mail messages...completely, totally, fully -- UNENCRYPTED -- readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.

Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, and provided Gendler with instructions on preventing data from being stored by the snippets database.

This issue affects a limited number of people in practice, and is not something that macOS users should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It does not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple's system files to look and have physical access to a machine.

Still, as Gendler points out, this particular vulnerability "brings up the question of what else is tracked and potentially improperly stored without you realizing it."

Those concerned about this issue can prevent data from being collected in the snippets.db database by opening up System Preferences, choosing the Siri section, selecting Siri Suggestions & Privacy, choosing Mail and then turning off "Learn from this App." This will stop new emails from being added to snippets.db but won't remove those that have already been included.

Apple told The Verge that customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in macOS Catalina. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability can be read in Gendler's Medium article.

Article Link: Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

 

[TechRemarker]

Good find but hopefully affecting very few since hard to imagine customers that go through the conscious effort and sending encrypted emails wouldn’t also have file vault enabled which prevents this bug from happening. Odd though that Apple was informed it previously and didn’t do anything about it or perhaps with all the other security bugs out there the use case was so small that they decided to put much lower on the list?

 

[konqerror]

This is overblown. S/MIME = HTTPS for e-mail. Encryped webpages are cached and indexed all the time.

Bob Gendler is acting like S/MIME is some super-high security protocol where it isn't. It doesn't protect "Secret or top-secret information".

 

[Dovydas]

This is overblown. S/MIME = HTTPS for e-mail. Encryped webpages are cached and indexed all the time.

Bob Gendler is acting like S/MIME is some super-high security protocol where it isn't. It doesn't protect "Secret or top-secret information".

The point is if you do something do it properly. What else is overblown by your definition? It is just bad attitude to have period.

 

[SDJim]

Who doesn't have FileVault turned on???

 

[konqerror]

The point is if you do something do it properly. What else is overblown by your definition? It is just bad attitude to have period.

You missed my point. As I said, we index and cache encrypted webpages all the time for user features.

You are assuming, along with Gendler that it is "proper" to completely ignore text in S/MIME e-mails, likely because it has "secure" in the name, when the level of security, use cases, and behavior in comparable systems (HTTPS) don't need it.

Basically, if autocomplete works in HTTPS pages, why shouldn't it work with S/MIME?

And every single e-mail client and webmail app will have the same behavior on compose, since nobody forces you to select S/MIME encryption before composing an e-mail.

 

[Bustycat]

So 10.15.1 Supplemental Update is coming very soon...

 

[Khedron]

Waiting for the incoming explanation of how this is no big deal compared to people constantly falling asleep in public and having Samsung's face recognition work with their eyes closed...
[automerge]1573240792[/automerge]

You missed my point. As I said, we index and cache encrypted webpages all the time for user features.

You are assuming, along with Gendler that it is "proper" to completely ignore text in S/MIME e-mails, likely because it has "secure" in the name, when the level of security, use cases, and behavior in comparable systems (HTTPS) don't need it.

Basically, if autocomplete works in HTTPS pages, why shouldn't it work with S/MIME?

And every single e-mail client and webmail app will have the same behavior, since nobody forces you to select S/MIME encryption before composing an e-mail.

It says Siri was turned off. Who is this "we" that is constantly doing things the user explicitly requests you not to?

Then again, this is the same Siri that was sending people's recordings to 3rd parties without user permission.

 

[Bokito]

That this issue exists is possible and an ugly oversight, but leaving it without a patch for months is kinda nuts. Apple really needs to step up it’s game. A lot of people don’t use FileVault but do want to have (some) of their e-mail encrypted.

 

[Rigby]

You missed my point. As I said, we index and cache encrypted webpages all the time for user features.

This is a false equivalence. Unless you actually break the end-to-end encryption (e.g. by forcing the user to accept a new root certificate), you can only index encrypted web page content that is accessible without prior authentication. Encrypted email should *never* be readable by anyone but the addressee, neither in transit nor at rest.

This is absolutely a big deal in corporate environments. Full disc encryption is not a replacement, since e.g. it might be decryptable to admins who should not have access to another employee's protected emails.

 

[konqerror]

It says Siri was turned off. Who is this "we" that is constantly doing things the user explicitly requests you not to?

Then again, this is the same Siri that was sending people's recordings to 3rd parties without user permission.

Shows that he doesn't know what he's talking about, since autocomplete and contact suggestions aren't Siri. We had those features long ago.

This is a false equivalence. Unless you actually break the end-to-end encryption (e.g. by forcing the user to accept a new root certificate), you can only index encrypted web page content that is accessible without prior authentication.

No, you're looking it from the network side. Both this issue and HTTPS indexing are on the client side (web browser). Again, autocomplete works on HTTPS sites based on what you typed into other HTTPS sites, so your statement is wrong. In fact, Chrome is sending my typing right now into this HTTPS site to their servers for spell checking purposes.

This is absolutely a big deal in corporate environments. Full disc encryption is not a replacement, since e.g. it might be decryptable to admins who should not have access to another employees protected emails.

Nope. Corporate environments escrow both S/MIME and FDE keys since they have to be accessible to admins, e.g. in response to a lawsuit or if they need to investigate an employee.

 

[Exhale]

You missed my point. As I said, we index and cache encrypted webpages all the time for user features.

Sure, but only if the site in question is not including the cache control header, meaning it only wants transport security and not content security.

 

[Rigby]

No, you're looking it from the network side. Both this issue and HTTPS indexing are on the client side (web browser). Again, autocomplete works on HTTPS sites based on what you typed into other HTTPS sites.

Well, I wouldn't expect my mail client to index the body of my encrypted emails, especially not if the index is then not properly encyrpted.

Nope. Corporate environments escrow S/MIME and FDE keys since they have to be accessible to admins, e.g. in response to a lawsuit.

Maybe in your environment. In mine, access to encrypted emails and access to regular content of the employees' hard drives require different clearance levels. It's insane to just grant any lowly admin access to everyone's encrypted communications.

 

[dickie001x]

Who doesn't have FileVault turned on???

Me.

 

[4jasontv]

A setting to 'auto-download all HTML emails to iCloud' and then serve those image anonymously via Apple's servers would remove the sender from knowing if the email was actually opened or if it was deleted. You know, remove the HTML requests, cookies and web beacons so I can review their email without providing information to the sender. I don't think people appreciate that not only do websites track when you click an email but they also track where in the email you clicked and when the content of the HTML email was requested so as to verify the email address is active and to measure the impact the email had on the recipient.

Also, will it fix the issue where Mail opens on its own and interrupts my workflow? And no, the open in full screen setting and calendar settings don't fix it. Cause that would be swell.

 

[konqerror]

Sure, but only if the site in question is not including the cache control header, meaning it only wants transport security and not content security.

Doesn't affect autocomplete. In fact, autocomplete now ignores autocomplete=off in all modern browsers due to misuse.
[automerge]1573241707[/automerge]

Well, I wouldn't expect my mail client to index the body of my encrypted emails, especially not if the index is then not properly encyrpted.

Your browser indexes and caches the content of encrypted web pages and doesn't use encryption.

Maybe in your environment. In mine, access to encrypted emails and access to regular content of the employees' hard drives require different clearance levels. It's insane to just grant any lowly admin access to everyone's encrypted communications.

You're putting words in my mouth. You said that you can't use FDE at all.

This is absolutely a big deal in corporate environments. Full disc encryption is not a replacement, since e.g. it might be decryptable to admins who should not have access to another employee's protected emails.

This is not true. Every corporate environment uses FDE with key escrow. Nobody said anything about the level of key escrow and who has access.

In fact, in many environments, servers have regular access to S/MIME keys so they can do antimalware and DLP scanning, just like they decrypt TLS.

Besides, nobody with truly sensitive information would be sending it over public e-mail on a Mac, S/MIME or not.

 

[EmotionalSnow]

Me.

May I ask why?

 

[miniyou64]

Apple has so many bugs now. What a shame. They’re all marketing now

 

[coolfactor]

The Mail team at Apple seems like the odd duck out. They always do things slightly differently. Look at the UI for sending and deleting messages in Mail on iOS... totally different than how you do it in the Messages app.

In a way, it seems the Mail team tries to be on the bleeding edge of UI paradigms. A lot of what they created was later carried into the larger macOS (or OS X at the time).

Encryption on individual emails is an advanced feature that most people would not be using. And yes, everyone should have FileVault enabled!

 

[G4DPII]

May I ask why?

I've never used it, my wife and I are the onlyone that have access to our machines. They contain nothing of use to anyone. If someone want to access 1000's of boring photo's of our trips to Chester Zoo, the sad buggers are welcome to them.

Not everyone needs it. I am sure to those that do more with thier machines it is crucial and a very helpful added feature.

 

[Khedron]

Apple has so many bugs now. What a shame. They’re all marketing now

Don't worry Tim's on the case...

Season 2 of The Morning Show will feature 20% more Apple logos.

 

[SDJim]

I've never used it, my wife and I are the onlyone that have access to our machines. They contain nothing of use to anyone. If someone want to access 1000's of boring photo's of our trips to Chester Zoo, the sad buggers are welcome to them.

Not everyone needs it. I am sure to those that do more with thier machines it is crucial and a very helpful added feature.

That makes sense. That being the case, however, you probably don't utilize encrypted email, so this bug doesn't affect you anyhow.

Rephrase: Who uses encrypted email and doesn't have filevault turned on???

 

[jasnw]

Given Apple's track record on fixing Mail problems I'd not expect this to be fixed until, well, ever?

 

[confessJason]

For the millionth time: fire Craig Federighi. He’s a bozo. He doesn’t have the engineering chops that Forstall had. I don’t care if Hair Force One has charisma and stage presence. Under him, software reliability has diminished in ways that gives Windows/Android automatic wins.

 

[ghboard2010]

Don't worry Tim's on the case...

Season 2 of The Morning Show will feature 20% more Apple logos.

. . . and 15% more emojis!