OS X Spotlight Glitch Exposes IP Addresses and Other System Details to Spammers

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,685
11,001



A privacy glitch in Spotlight search for OS X may leak private details, including IP addresses, to email spammers. The flaw was first reported by German tech news site Heise and replicated in tests performed by IDG News Service.

The issue affects OS X mail users who have followed conventional security recommendations to turn off the "load remote content in messages" option in the Mail app. This setting prevents the loading of remote content such as images, including "tracking pixels" that are used by spammers to harvest information when people open an email.

A glitch arises when OS X Mail users utilize Spotlight search in OS X, which includes emails in the search results. Spotlight ignores the remote content block preference from Mail and loads the remote email files as part of the search process. Once Spotlight loads one of these tracking pixels, spammers can glean details such as the IP address, OS X version, browser details, and the version of Quick Look being used.
The Spotlight preview loads those files even when users have switched off the "load remote content in messages" option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What's more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.
Currently, the only way to block this information leak is to block Spotlight from including emails in search results entirely by opening System Preferences and unchecking the "Mail & Messages" option for Spotlight. Apple has yet to comment on this Spotlight privacy glitch.

Article Link: OS X Spotlight Glitch Exposes IP Addresses and Other System Details to Spammers
 

joshwenke

macrumors regular
Mar 26, 2011
209
813
Oh for goodness sake, don't let them know my version is Yosemite and what browser I'm using! And, *gasp*, the version of QUICK LOOK?! This is an outrage.

/s
 

thejadedmonkey

macrumors G3
May 28, 2005
8,225
1,237
Pennsylvania
Oh for goodness sake, don't let them know my version is Yosemite and what browser I'm using! And, *gasp*, the version of QUICK LOOK?! This is an outrage.

/s
I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.
 

Scyanide

macrumors member
Apr 9, 2013
91
7
Melbourne, FL
Am I the only one that rarely uses Spotlight? Don't get me wrong, I love spotlight especially the revamped one in 10.10. However, I just don't think about Spotlight when launching an application or searching for files. I mostly just hit the Launchpad shortcut on my keyboard and use the terminal for searching for/in files.

I guess I just need to force myself to use it more often and hopefully after a while I'll launch more by reflex.
 

kolax

macrumors G3
Mar 20, 2007
9,181
115
I'm going to go back to using Alfred I think.

This new Spotlight has been rubbish for me - it seems to ignore the ordering I have for results (I want bookmarks top) and if I open the wrong file via Spotlight search, it remembers it so when I search again, even though the file I opened doesn't explicitly match my search and another file does, it lists the wrong file at the top. It shouldn't remember it just because I did it once!
 

BlendedFrog

macrumors regular
Dec 9, 2010
241
95
Another reason not to use the crappy mail app. Now I know why I have always stuck to using the webmail interface.

Will Apple ever get their act together and overhaul the damn app and actually make it usable?
 

prowlmedia

Suspended
Jan 26, 2010
1,589
813
London
I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.
Do you think that Spammers have any form of Mail Send filtering at all. They send billions of mails. Facebook ads - what... how they doing that then? Even i they can... who gives a crap... I am not clicking on any. Major is pushing it I think. Slightly annoying at best.
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
8,855
4,644
Oops.

Seems pretty minor to me.

If I had to guess, I would say that finding the email in Finder and Quick Looking it will probably have the exact same issue where it ignores the settings in Mail (after all, it's a Mail setting, not a system wide setting.)

The proper remedy is probably to make it a system wide setting where you have to set it in the Settings app, and then make Mail and Finder and Spotlight obey it (and probably have every other mail client from a 3rd party ignore it. I feel like 3rd party developers tend to ignore most system settings.)
 

solamar

macrumors regular
Dec 30, 2008
179
72
Another reason not to use the crappy mail app. Now I know why I have always stuck to using the webmail interface.

Will Apple ever get their act together and overhaul the damn app and actually make it usable?
You're comment is hilarious! LOL Webmail like Gmail and Yahoo is often a worse offender and gives all kinds of info away. try again HAHAHA!
 

Yebubbleman

macrumors 68040
May 20, 2010
3,360
575
Los Angeles, CA
[url=http://cdn.macrumors.com/im/macrumorsthreadlogodarkd.png]Image[/url]


A privacy glitch in Spotlight search for OS X may leak private details, including IP addresses, to email spammers. The flaw was first reported by German tech news site Heise and replicated in tests performed by IDG News Service.

The issue affects OS X mail users who have followed conventional security recommendations to turn off the "load remote content in messages" option in the Mail app. This setting prevents the loading of remote content such as images, including "tracking pixels" that are used by spammers to harvest information when people open an email.

A glitch arises when OS X Mail users utilize Spotlight search in OS X, which includes emails in the search results. Spotlight ignores the remote content block preference from Mail and loads the remote email files as part of the search process. Once Spotlight loads one of these tracking pixels, spammers can glean details such as the IP address, OS X version, browser details, and the version of Quick Look being used.Currently, the only way to block this information leak is to block Spotlight from including emails in search results entirely by opening System Preferences and unchecking the "Mail & Messages" option for Spotlight. Apple has yet to comment on this Spotlight privacy glitch.

Article Link: OS X Spotlight Glitch Exposes IP Addresses and Other System Details to Spammers
Dumb question, though perhaps the article should've said this, but is this unique to Yosemite or are other versions affected? It sounds like it's unique to Yosemite, but further clarification here would be great.
 

JGIGS

macrumors 65816
Jan 1, 2008
1,340
1,175
CANADA!
Sorry but its getting brutal how buggy apple operating systems are getting. Yosemite still having wifi issues?

I miss the day when both ios and osx were rock solid. If Android and someone starts coming out with PC's of better build quality than plastic junk I'd have to seriously think about jumping ship. with my next purchases. Surface pro keeps getting lighter and peaking my interest to replace my Macbook.
 

SMIDG3T

Suspended
Apr 29, 2012
3,859
2,316
England
Oops.

Seems pretty minor to me.

If I had to guess, I would say that finding the email in Finder and Quick Looking it will probably have the exact same issue where it ignores the settings in Mail (after all, it's a Mail setting, not a system wide setting.)

The proper remedy is probably to make it a system wide setting where you have to set it in the Settings app, and then make Mail and Finder and Spotlight obey it (and probably have every other mail client from a 3rd party ignore it. I feel like 3rd party developers tend to ignore most system settings.)
Did you not read post #4?
 

Tumbleweed666

macrumors 68000
Mar 20, 2009
1,661
63
Near London, UK.
Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them.
And little piggies may fly as well. Why would they bother when itsa trivial portion out of who knows how many millions of emails?.

----------

Well thanks for the heads up, I've unchecked the setting in Spotlight.
and you'll now find your emails look like ****** and you'll be switching it back on soon :D
 

brentmore

macrumors 6502
Jul 19, 2002
263
1
ATX
Yet another reason why Little Snitch is my favorite tech tattletale.
 
Last edited:

jasnw

macrumors 6502a
Nov 15, 2013
808
838
Seattle Area (NOT! Microsoft)
I do not use Spotlight and actively dislike having it enabled. The only thing I've kept selected in the Spotlight list is "Mail and Messages" because I was told (post-ML) that this was needed in order to be able to use searches in the Mail app. Is this true, or can I disable Spotlight altogether as I'd prefer to do and still be able to search from within the Mail app?
 

samcraig

macrumors P6
Jun 22, 2009
16,637
41,608
USA
As I've said before in other threads. Regardless of whether or not this is "harmful" to some or all - if there's a security issue and it's known, it should be fixed. End of story. No judgement. Simple as that.
 

horsebattery

macrumors 6502
Sep 24, 2013
311
343
And little piggies may fly as well. Why would they bother when itsa trivial portion out of who knows how many millions of emails?.

----------



and you'll now find your emails look like ****** and you'll be switching it back on soon :D
Do you primarily receive wallpapers and greeting cards for your emails?

And that the leaked information may not seem of consequence to you, does not detract from the fact that this is indeed a security hole that should be brought to Apple's attention and patched.
 

dvh

macrumors newbie
Jul 7, 2010
1
0
This is a minor bug. What percentage of users actually disable displaying remote images in HTML emails? Probably not many (<1%). Most commercial emails link to remote images and disabling the images take away most of the email content. So why be signed up for legitimate emails if the content isn't there? Overblown... Comical how people jump on minor things just to complain.
 

joshwenke

macrumors regular
Mar 26, 2011
209
813
I don't think you understand what the article means.

Let me explain. If you block the tracking pixel from loading, the spammer will never realize that you received the email, and may eventually stop sending them. If they do realize that you receive the email, then they can get your IP address, know that the email address is valid, cross reference your purchasing habits with your IP address, and target you specifically with Facebook ads.

That's a major gaping privacy hole in OS X that needs to be patched.
That is actually very untrue. The majority of the spam computers that send out those spam emails have no way of monitoring your specific email account. They don't track if the email is valid, either. If they get a bounce back saying the email doesn't exist, they still continue to send repeated emails. They also aren't going to waste the time calculating "if you opened your email and read the ad", they're going to send you continual ads regardless.

Scam pixels are often used just for overall statistics, like "20% of the people we send ads to are in this part of the world using this version of OS X".

This would also require that a DIFFERENT version of the spam pixel is loaded for each email, so they could uniquely target each person they send the email to. It's much more cost-efficient to just send out mass emails, rather than track each of the millions of emails individually.
 

bax2003

macrumors 6502a
Dec 25, 2011
903
139
Serbia
Another reason not to use the crappy mail app. Now I know why I have always stuck to using the webmail interface.

Will Apple ever get their act together and overhaul the damn app and actually make it usable?
I use mail app, and I love it.
 

reikohh

macrumors newbie
Nov 18, 2013
14
0
Workaround from german magazine

German Heise magazine released a workaround:

DisableMail.qlgenerator uses a trick: The Quick Look plug-in handles the rendering of e-mail files in Spotlight. It thus prevents the system plug-in is loaded. DisableMail include only a plist file but no executable code. As a result, can not be loaded and OS X, use the default viewer or a plug-in that feels also responsible, as the QLStephen above the plug-in.

http://www.heise.de/newsticker/meld...atenschutzpanne-in-OS-X-Yosemite-2514653.html
 

Zxxv

macrumors 68040
Nov 13, 2011
3,558
1,103
UK
aren't most of these so called troublesome emails meant to be in the spam/junk mail folder anyway?

just have spotlight ignore the junk folder
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.