Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
OS X Spotlight Glitch Exposes IP Addresses and Other System Details to Spammers
- Thread starter MacRumors
- Start date
- Sort by reaction score
That was one of the first things I did on both of my Macs after installing Yosemite...I didn't need a data breach report to convince me that this was not how I wanted Spotlight to work.
Hmmm....this is interesting. Last night I did a spotlight search in mail. Today I opened Mail and my emails were deleted from yesterday back until August '14.
I was assuming it was a server issue until I saw this thread. I use my ISP provided email and the emails were deleted there too.
I was assuming it was a server issue until I saw this thread. I use my ISP provided email and the emails were deleted there too.
It's amazing how Spotlight can expose all these details, while still obstructing everything else I do by being straight into my face. I have to memorize every number or detail I see, or write it down in TextEdit, because once I open Spotlight to enter it I can't see a damn thing.
Apart from Spotlight issues mentioned in the article, I believe that there's a bigger issue involving OS X at hand, which has been mentioned by others on this forum it's just another sign of OS X releases being unnecessarily rushed. I believe that Apple shouldn't be putting out yearly OS X upgrades just for the sake of it and focus on rock solid stability instead. If it takes two years for another OS to be published, then so be it. This yearly upgrade cycle that started with Lion is nonsense in my opinion and experience.
Mountain Lion didn't add anything that called for a new OS, they could've added things like Notification Center and Notes as updates to Lion, while working on Mountain Lion for another year and release it bundled with under the hood improvements that Mavericks brought. And then wait another 2 years to polish the Yosemite and release it as another, brand new OS. The 2 year interval would allow them to make the systems solid and fix bugs and glitches. Now it looks like this: they release a new OS, there are many, many bugs (compared to Snow Leopard for example), like the one that made WiFi crap out (I had this issue with Yosemite, but read that others experienced it with previous OS X editions). They patch some things up, but before the OS is solid and mature enough, there's the 1 year mark and it's on to another version and the whole cycle repeats.
And for me at least, it's pointless. I could've lived without the negligible new features of Mountain Lion or Mavericks (like I really needed Maps on my desktop that much) and just enjoy a steady OS X experience until they have polished the next OS. It's not like they have to compete with Windows - people buy Mac for the looks, ease of use and the ecosystem. None of the features introduced with Mountain Lion or Mavericks were selling points. My girlfriend couldn't had been able to tell the difference between Lion and Mountain Lion if I hadn't told her I had updated her Mac. And then she noticed that the remaining battery time information has been hidden and she was pissed (honestly, I still don't get it why they had hid it).So basically no one excepts geeks like me noticed the new OS X releases and and fewer people knew what those releases "where about".
Mountain Lion didn't add anything that called for a new OS, they could've added things like Notification Center and Notes as updates to Lion, while working on Mountain Lion for another year and release it bundled with under the hood improvements that Mavericks brought. And then wait another 2 years to polish the Yosemite and release it as another, brand new OS. The 2 year interval would allow them to make the systems solid and fix bugs and glitches. Now it looks like this: they release a new OS, there are many, many bugs (compared to Snow Leopard for example), like the one that made WiFi crap out (I had this issue with Yosemite, but read that others experienced it with previous OS X editions). They patch some things up, but before the OS is solid and mature enough, there's the 1 year mark and it's on to another version and the whole cycle repeats.
And for me at least, it's pointless. I could've lived without the negligible new features of Mountain Lion or Mavericks (like I really needed Maps on my desktop that much) and just enjoy a steady OS X experience until they have polished the next OS. It's not like they have to compete with Windows - people buy Mac for the looks, ease of use and the ecosystem. None of the features introduced with Mountain Lion or Mavericks were selling points. My girlfriend couldn't had been able to tell the difference between Lion and Mountain Lion if I hadn't told her I had updated her Mac. And then she noticed that the remaining battery time information has been hidden and she was pissed (honestly, I still don't get it why they had hid it).So basically no one excepts geeks like me noticed the new OS X releases and and fewer people knew what those releases "where about".
Lucky, i'm still on Mavericks..
IP address are public anyway.... this isn't personal info. and private IP's are non-rotatable (can't go over internet).
This further points out never load images in mail. If users like rich text/HTML images in email, they pay the price.
IP address are public anyway.... this isn't personal info. and private IP's are non-rotatable (can't go over internet).
This further points out never load images in mail. If users like rich text/HTML images in email, they pay the price.
Last edited:
Sure I know that too - Or you have a good spam filter on your email server. All my HTML images setting are on etc. I get maybe 1 spam mails out of 500+ mails a week. Click as junk and never again.
Point is this is utterly overblown as a MAJOR issue.
I use spotlight for a lot including opening apps. The new one is even quicker. You may only be saving a few seconds but it sure improves your workflow.
Some monumental defects in OS X and iOS were release in Steve's time.
How about Snow Leopard (which everyone thinks as some high point in OS X), which when released would wipe your home folder when you logged out if you had installed over a previous version that had the guest account available. Yes that's right it would delete ALL of your data.
or iPhone OS 3 where malicious text messages could be used to take complete control of the phone.
The biggest difference now, is that Apple is a bigger target. They have always been vulnerable.
Nice one, but no. Commercial emails from companies where much of the content is in html. I tried it when I saw this issue, and most of my emails had a whole lot of stuff missing. I have good spam handling so nearly all the emails I receive, I want, so whilst they may well be tracking if I receive the emails they sent, I dont care as I asked them to send them to me.
----------
Hmmm....this is interesting. Last night I did a spotlight search in mail. Today I opened Mail and my emails were deleted from yesterday back until August '14.
I was assuming it was a server issue until I saw this thread. I use my ISP provided email and the emails were deleted there too.
That has got nothing whatsoever to do with this issue which hasnt suddenly arisen yesterday its been there some time.
Ok. For those of you who need or still want to use Spotlight to be able to search their mail, here is a simple and uncomplicated plan: Use a decent Anti-Spam filtering program such as Spam-Sieve. Once set up, Spam-Sieve (or whatever decent program you choose) will have it's own folder structure created within your Mail app Library folder. Some differences may appear but it will basically look like this: (/users/YourUserNameHere/Library/Mail/V2/Mailboxes/SPAM-SIEVE.mbox
Obviously, YourUserNameHere and SPAM-SIEVE will be replace by whatever your username is and whatever your Anti-Spam folder is called.
Next, create an alias of your Spam folder (in this example it is SPAM-SIEVE.mbox mentioned earlier) and put it in your Documents folder or wherever you choose. Next, under the Spotlight preferences, select the "Privacy" tab and click on the "+" icon to add this alias folder to the list of folders that you want Spotlight NOT to search.
This way, you still have the option of having Spotlight search your emails (which can be quite usefule and helpful) but NOT emails that are deemed to be SPAM. You could theoretically also use this technique with your Mail App's "Junk" folder as well but I find that the Mail App's Junk folder never works like it should and is pretty much worthless (hence the need for something like Spam Sieve).
Obviously, YourUserNameHere and SPAM-SIEVE will be replace by whatever your username is and whatever your Anti-Spam folder is called.
Next, create an alias of your Spam folder (in this example it is SPAM-SIEVE.mbox mentioned earlier) and put it in your Documents folder or wherever you choose. Next, under the Spotlight preferences, select the "Privacy" tab and click on the "+" icon to add this alias folder to the list of folders that you want Spotlight NOT to search.
This way, you still have the option of having Spotlight search your emails (which can be quite usefule and helpful) but NOT emails that are deemed to be SPAM. You could theoretically also use this technique with your Mail App's "Junk" folder as well but I find that the Mail App's Junk folder never works like it should and is pretty much worthless (hence the need for something like Spam Sieve).
I ended up quitting Gmail because they didn't conform to standards and because I was suspicious that they were leaking my contacts, but my school email is Gmail anyway. It's working fine for me, but my friend had issues setting up Gmail with Mail on his Mac due to this. Google kept saying it was a hacking attempt when he tried to log in. I checked their help, and it said I need to enable access for "insecure" devices, so I did. Yes, the help said that all mail clients count as something "insecure" and that I should use the Gmail web mail and the Gmail iOS app instead. What clowns!
----------
Noted. This "tracking pixel" technique is something I should have used when I was trying to figure out who was behind that anonymous Facebook page at my school. I tricked him into visiting my website and took his IP address, but he was using the Tor browser, so it was useless. An email with a tracking pixel would have worked.
That was ten exclamation points we could have done without of.
----------
Or use a VPN with TOR as much as possible.
Last edited:
Amen to that. Yosemite has been nothing but problems for me. I'm now on a clean reinstall here, which has made wi-fi usable, but I still turn wi-fi off and on every so often to get some life out of it. Mail works when it feels like it. Sigh. I only just sent Apple a message via their feedback page the other day to tell them how frustrating this is getting. I agree, it's iOS as well. Nothing from Apple feels very reliable at the moment.
Another Apple apologist with made-up stats. I don't know what percentage of users have remote images turned off for the reasons stated in the article, but I can say that I'm one of them. And all this time I may as well not have bothered, because Apple is passing that info to spammers via Spotlight and Mail anyway. I'm actually pretty pissed off about this, and I think I have every right to be.
Yes, almost every website you visit will log your IP address and will know your user agent, which contains your OS version and stuff. But the spammers also learn which IP address was used to access which email account, information that most websites wouldn't obtain.
It IS a security hole. I still personally wouldn't worry about it because it's not a big deal anyway. What I am worried about is that Apple made yet another dumb mistake in a new version of OS X. And people here ask why I don't jump on updates...
I always assumed that Spotlight would honour the same settings as in Mail. When you go the general tab of Mail settings, at the bottom you can exclude certain mailboxes as well: spam and trash. I've always excluded those, so within Mail I can't search these mailboxes. Spotlight, however, seems to ignore these preferences and just searches all of them. Spotlight shouldn't even show me any spam or trashed e-mails to begin with, let alone ignore Mail's own security mechanisms to prevent issues like the present one.
Both are the kinds of things that Apple used to do well. I'm starting to think that they've scrapped lots of the previous Spotlight code to implement the changes, forgetting to plug all the holes in the process and rushing to release it. Not to mention that Spotlight still crashes so often even on 10.10.2 beta, it's been the most unstable as it has ever been.
Both are the kinds of things that Apple used to do well. I'm starting to think that they've scrapped lots of the previous Spotlight code to implement the changes, forgetting to plug all the holes in the process and rushing to release it. Not to mention that Spotlight still crashes so often even on 10.10.2 beta, it's been the most unstable as it has ever been.
Attachments
Ars Technica risk assessment
Spotlight search in OS X Yosemite exposes private user details to spammers | Ars Technica (2015-01-09)
Amongst readers' favourite comments, there's a link to furbo.org · Death by a thousand cuts (2015-01-06)
Discussion: Apples Software Quality Decline
Spotlight search in OS X Yosemite exposes private user details to spammers | Ars Technica (2015-01-09)
Amongst readers' favourite comments, there's a link to furbo.org · Death by a thousand cuts (2015-01-06)
Discussion: Apples Software Quality Decline
And this becomes a problem for spam filters - because they're less likely to filter such messages out. Spam filters rely on certain traits in a message that become less commonplace the more targeted the spam gets.
Additionally, many spam filters rely heavily on spam clients to be 'hasty'. Which they pretty much need to be. But if your email address is confirmed, they don't need to be 'hasty' anymore, and several defensive measures are defeated.