A vulnerability has been discovered in the macOS version of the Apple Mail app which leaves some of the text in an encrypted email unencrypted. Apple says it will address the vulnerability in a future software update.
IT specialist Bob Gendler (via The Verge) says the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.
Gendler discovered the bug on July 29 and reported it to Apple. During the next several months, Apple said it was investigating the issue, but no fix was forthcoming. The vulnerability is present in macOS Catalina, and versions of macOS dating back to Sierra.
Let me say that again… The snippets.db database is storing encrypted Apple Mail messages…completely, totally, fully — UNENCRYPTED — readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal.
This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.
When contacted by The Verge, Apple said it has been made aware of the issue and will address it in a future software update. Apple also noted that only portions of some emails are stored, and that it had provided Gendler with instructions on preventing data from being stored by the snippets database.
While serious, the issue affects a limited number of users in real world situations, as it requires users to be using macOS and the Apple Mail app to send encrypted emails. It does not impact users who have FileVault turned on, and an inquisitive type would need to know where in Apple’s system files to look and have physical access to a machine.
However, the vulnerability, in Gendler’s words “brings up the question of what else is tracked and potentially improperly stored without you realizing it.”
Users that want to stop emails from being collected in snippets.db right now, can do so by going to “System Preferences” -> “Siri” -> “Siri Suggestions & Privacy” -> “Mail” and toggling off “Learn from this App.” This will prevent new emails from being added to snippets.db, but won’t remove those that have already been included.
Customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in macOS Catalina. Turning on FileVault will also encrypt everything on the Mac.
Full details on the vulnerability are available in Gendler’s Medium article.
(Image via Bob Gendler)