Apple's Hide My Email flaw exposes real addresses despite year-old report
A vulnerability in Apple's Hide My Email service allows recipients to deduce a user's real email address with simple forwarding tricks. The bug was reported to Apple over a year ago but remains unpatched, according to multiple reports.
A security flaw in Apple's Hide My Email feature, part of the iCloud+ subscription service, can expose a user's actual email address to anyone who receives a forwarded message. Multiple reports confirm the vulnerability has been known to Apple for at least a year with no fix released.
The feature is designed to generate random, unique email addresses that forward incoming messages to a user's real inbox. But security researchers have found that a recipient can reply to a forwarded message or use simple email header inspection to reveal the underlying real address with little technical skill.
How the exposure works
When a forwarded email reaches a recipient, metadata in the message headers can include the original sender's real email address. In some cases, simply hitting "reply" in a standard email client and examining the reply-to field discloses the actual inbox. The technique requires no specialized tools.
- Researchers demonstrated the leak using standard email clients like Apple Mail and Gmail.
- The vulnerability was first reported to Apple through its security disclosure process in early 2023.
- Apple has not acknowledged the issue publicly or issued a patch in any iOS, iPadOS, or macOS update.
- Hide My Email is a key privacy selling point for iCloud+, which costs $0.99 per month and up.
- The flaw affects any user who forwards mail from a Hide My Email address to their actual account.
Implications for user privacy
The persistent gap undermines Apple's marketing of Hide My Email as a tool to prevent spam and protect identity. Privacy advocates warn that the exposure enables targeted phishing, account enumeration, and doxxing. Because the bug remains unpatched, users who rely on the feature for anonymity in forums, purchases, or sign-ups remain vulnerable.
Security experts advise iCloud+ subscribers to avoid using Hide My Email for communications that require strong anonymity. Until Apple issues a fix, the only mitigation is to manually inspect forwarded messages for header leaks or to use a separate forwarding service. Apple has not commented on a timeline for a patch.
Fact check
-
Apple's Hide My Email feature can expose a user's real email address to recipients of forwarded messages.
verified · source
-
The vulnerability was reported to Apple over a year ago and remains unpatched.
reported · source
-
Recipients can reveal the real email address with little effort using standard email clients.
verified · source
Source reporting (2)
Join the conversation
You need to be registered and logged in to comment on blog articles.
0 Comments
No comments yet
Be the first to share your thoughts on this article.