New Spotlight bug exposes your Mac's IP address and more to spammers

An unusual oversight in how OS X’s Spotlight feature handles privacy settings in Apple Mail leaves the door open to spammers, phishers and online tracking companies who can obtain private data such as your IP address, current operating system version, browser details and more, whenever an email message is previewed in Spotlight.

The bug was first spotted by German technology news site Heise, the bug takes advantage of a common information harvesting technique and a Mail setting which determines whether or not the program loads remote content in emails.

If turned off, Mail won’t load images in newsletters, HTML-formatted marketing messages and other emails. Spotlight, a search feature available anywhere in OS X, for some reason does not honor this setting.

As a result, each time you preview an email message in Spotlight the system retrieves images stored on remote servers, regardless of Mail’s privacy setting. This isn’t of major concern when previewing legitimate marketing messages in Spotlight that you subscribed to.

However, spammers and marketeers commonly use a technique called tracking pixels, which uses a link to a one-pixel-square GIF file that, when loaded, tells the server that you’ve received and opened the email. In turn, the server flags your email address as “alive” and from than point onward, you’ll receive even more unsolicited messages.

“What’s more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder,” notes Heise.
The only way to mitigate this is to exclude Mail from your Spotlight search by unticking the Mail & Messages box in System Preferences > Spotlight, as shown above.


blog comments powered by Disqus
Octofinder Blog Catalog