• Home
  • macOS
  • News
  • Security
  • Apple Has a Fix on the Way for macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

Apple Has a Fix on the Way for macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

Apple Has a Fix on the Way for macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

A vulnerability has been discovered in the macOS version of the Apple Mail app which leaves some of the text in an encrypted email unencrypted. Apple says it will address the vulnerability in a future software update.

IT specialist Bob Gendler (via The Verge) says the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

Gendler discovered the bug on July 29 and reported it to Apple. During the next several months, Apple said it was investigating the issue, but no fix was forthcoming. The vulnerability is present in macOS Catalina, and versions of macOS dating back to Sierra.

Let me say that again… The snippets.db database is storing encrypted Apple Mail messages…completely, totally, fully — UNENCRYPTED — readable, even with ‌Siri‌ disabled, without requiring the private key. Most would assume that disabling ‌Siri‌ would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.

When contacted by The Verge, Apple said it has been made aware of the issue and will address it in a future software update. Apple also noted that only portions of some emails are stored, and that it had provided Gendler with instructions on preventing data from being stored by the snippets database.

While serious, the issue affects a limited number of users in real world situations, as it requires users to be using macOS and the Apple Mail app to send encrypted emails. It does not impact users who have FileVault turned on, and an inquisitive type would need to know where in Apple’s system files to look and have physical access to a machine.

However, the vulnerability, in Gendler’s words “brings up the question of what else is tracked and potentially improperly stored without you realizing it.”

Users that want to stop emails from being collected in snippets.db right now, can do so by going to “System Preferences” -> “Siri” -> “Siri Suggestions & Privacy” -> “Mail” and toggling off “Learn from this App.” This will prevent new emails from being added to snippets.db, but won’t remove those that have already been included.

Customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in ‌macOS Catalina‌. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability are available in Gendler’s Medium article.

(Image via Bob Gendler)

  1. 205221 197977Spot on with this write-up, I truly suppose this internet site needs significantly a lot more consideration. probably be once more to learn way much more, thanks for that information. 85954

  2. 637137 518644Id really should speak to you here. Which is not some thing I do! I quite like reading a post which will make folks believe. Also, numerous thanks permitting me to comment! 539233

  3. benelli r1 says:

    718386 919398Outstanding post, I think blog owners should larn a great deal from this internet site its rattling user friendly . 641474

  4. Excellent weblog publish. I Totally enjoy This page. Many thanks!

  5. Hey There. I uncovered your weblog the use of msn. That is definitelya very neatly published report. I’ll be sure youbookmark it and return to browse far more of the handy data.Many thanks with the post. I will certainly return.

Leave a Reply

Your email address will not be published. Required fields are marked *