watchOS 8.5 Fixes Mail Privacy Protection Loophole That Could Expose IP Addresses

watchOS 8.5 fixes a security vulnerability in the Mail app that could leak a user’s IP address when downloading remote content, security researchers have found.



Last year, it emerged that Apple’s Mail Privacy Protection feature was undermined by a lack of Apple Watch support. Mail Privacy Protection was a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so senders are not able to determine your location or link email habits to your other online activity. It also prevents senders from tracking whether you opened an email, how many times you viewed an email, and whether you forwarded the email.

The feature works by routing all content downloaded by the Mail app through multiple proxy servers to strip your IP address, and then it assigns a random IP address that corresponds to your general region, making email senders see generic information rather than specific information about you.

Apple’s legal documentation on Mail Privacy Protection indicates that the feature is available for iPhone, iPad, and Mac only, but security researchers and developers Talal Haj Bakry and Tommy Mysk discovered that since the Apple Watch does not hide a recipient’s IP address, it can compromise the overall security provided by Mail Privacy Protection.

The Apple Watch downloads remote content, such as images, using the recipient’s real IP address, both when receiving a Mail notification and when opening an email, meaning that even for users who had enabled Mail Privacy Protection on their ‌iPhone‌, their IP address can be exposed.

While Mail Privacy Protection is a feature exclusive to ‌iOS 15‌, ‌iPadOS 15‌, and ‌macOS Monterey‌, the fact that simply receiving a Mail notification on the Apple Watch could reveal a user’s IP address and bypass Mail Privacy Protection on other devices seemed to be an oversight. Now, Bakry and Mysk have found that Apple has fixed the issue in watchOS 8.5.

Good news: As of iOS 15.4 and watchOS 8.5 the Mail app on the watch no longer leaks the IP address when downloading remote content. Remote content is blocked on the watch even when Mail Privacy Protection is on. Now you get this prompt: https://t.co/Ocs0iXt4YM pic.twitter.com/Yea2fQxWlO

— Mysk 🇨🇦🇩🇪 (@mysk_co) March 14, 2022

As of watchOS 8.5, loading remote content is automatically blocked on the Apple Watch, and instead provides an option to “Load Content Directly.” Users can also select “Always Load Content Directly” for all new emails or “Ask to Load Content” on a per-email basis. The improvement was not included in watchOS 8.5’s release notes.

watchOS 8.5 was released to the public yesterday and the update brings a number of other improvements, including updates to irregular heart rhythm notifications designed to improve atrial fibrillation identification, audio hints in Apple Fitness+ workouts, the ability to authorize Apple TV purchases and subscriptions, and the ability to restore an Apple Watch using an iPhone.

This article, “watchOS 8.5 Fixes Mail Privacy Protection Loophole That Could Expose IP Addresses” first appeared on MacRumors.com

Discuss this article in our forums

watchOS 8.5 fixes a security vulnerability in the Mail app that could leak a user's IP address when downloading remote content, security researchers have found.


Last year, it emerged that Apple's Mail Privacy Protection feature was undermined by a lack of Apple Watch support. Mail Privacy Protection was a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so senders are not able to determine your location or link email habits to your other online activity. It also prevents senders from tracking whether you opened an email, how many times you viewed an email, and whether you forwarded the email.



The feature works by routing all content downloaded by the Mail app through multiple proxy servers to strip your IP address, and then it assigns a random IP address that corresponds to your general region, making email senders see generic information rather than specific information about you.

Apple's legal documentation on Mail Privacy Protection indicates that the feature is available for iPhone, iPad, and Mac only, but security researchers and developers Talal Haj Bakry and Tommy Mysk discovered that since the Apple Watch does not hide a recipient's IP address, it can compromise the overall security provided by Mail Privacy Protection.

The Apple Watch downloads remote content, such as images, using the recipient's real IP address, both when receiving a Mail notification and when opening an email, meaning that even for users who had enabled Mail Privacy Protection on their ‌iPhone‌, their IP address can be exposed.

While Mail Privacy Protection is a feature exclusive to ‌iOS 15‌, ‌iPadOS 15‌, and ‌macOS Monterey‌, the fact that simply receiving a Mail notification on the Apple Watch could reveal a user's IP address and bypass Mail Privacy Protection on other devices seemed to be an oversight. Now, Bakry and Mysk have found that Apple has fixed the issue in watchOS 8.5.



As of watchOS 8.5, loading remote content is automatically blocked on the Apple Watch, and instead provides an option to "Load Content Directly." Users can also select "Always Load Content Directly" for all new emails or "Ask to Load Content" on a per-email basis. The improvement was not included in watchOS 8.5's release notes.

watchOS 8.5 was released to the public yesterday and the update brings a number of other improvements, including updates to irregular heart rhythm notifications designed to improve atrial fibrillation identification, audio hints in Apple Fitness+ workouts, the ability to authorize Apple TV purchases and subscriptions, and the ability to restore an Apple Watch using an iPhone.
This article, "watchOS 8.5 Fixes Mail Privacy Protection Loophole That Could Expose IP Addresses" first appeared on MacRumors.com

Discuss this article in our forums

iOS 15.4 Beta Adds Support for Setting Up Custom Email Domains With iCloud Mail

The iOS 15.4 beta that was introduced today expands support for the custom email domain feature available for iCloud+, adding an option to set up a custom domain with ‌iCloud‌ Mail directly on the iPhone.



If you go to Settings > Apple ID > ‌iCloud‌, “‌iCloud‌ Mail” is now a tappable option and it includes a section for setting up a Custom Email Domain.

Prior to now, custom domains were able to be set up with ‌iCloud‌ Mail, but Apple’s iCloud.com website was required to get it working and there was no option to set it up right on the ‌iPhone‌ or iPad.



Setting up a custom email domain requires a paid ‌iCloud‌+ storage plan, which is priced starting at $0.99. The feature is designed to allow a custom email address like “johnny@appleseed.com” to be used for sending and receiving emails using ‌iCloud‌ Mail. Though the custom domain feature uses ‌iCloud‌ Mail, emails will be addressed to and sent from the custom domain.

Each ‌iCloud‌ user can add up to five custom domains to ‌iCloud‌ Mail, and members of a Family Sharing group can also use those domains. Email addresses that are currently used with the custom domain are supposed, and there’s also an option to set up new email addresses with the domain.

Custom Email Domain settings on the ‌iPhone‌ and ‌iPad‌ will make it much easier to use custom email addresses. It’s worth noting that this same feature is also available on the Mac under the System Preferences > ‌Apple ID‌ > ‌iCloud‌ Mail, but it does not yet appear to be functional.

Related Roundups: iOS 15, iPadOS 15
Tags: iCloud, Mail

This article, “iOS 15.4 Beta Adds Support for Setting Up Custom Email Domains With iCloud Mail” first appeared on MacRumors.com

Discuss this article in our forums

The iOS 15.4 beta that was introduced today expands support for the custom email domain feature available for iCloud+, adding an option to set up a custom domain with ‌iCloud‌ Mail directly on the iPhone.


If you go to Settings > Apple ID > ‌iCloud‌, "‌iCloud‌ Mail" is now a tappable option and it includes a section for setting up a Custom Email Domain.

Prior to now, custom domains were able to be set up with ‌iCloud‌ Mail, but Apple's iCloud.com website was required to get it working and there was no option to set it up right on the ‌iPhone‌ or iPad.


Setting up a custom email domain requires a paid ‌iCloud‌+ storage plan, which is priced starting at $0.99. The feature is designed to allow a custom email address like "johnny@appleseed.com" to be used for sending and receiving emails using ‌iCloud‌ Mail. Though the custom domain feature uses ‌iCloud‌ Mail, emails will be addressed to and sent from the custom domain.

Each ‌iCloud‌ user can add up to five custom domains to ‌iCloud‌ Mail, and members of a Family Sharing group can also use those domains. Email addresses that are currently used with the custom domain are supposed, and there's also an option to set up new email addresses with the domain.

Custom Email Domain settings on the ‌iPhone‌ and ‌iPad‌ will make it much easier to use custom email addresses. It's worth noting that this same feature is also available on the Mac under the System Preferences > ‌Apple ID‌ > ‌iCloud‌ Mail, but it does not yet appear to be functional.
Related Roundups: iOS 15, iPadOS 15
Tags: iCloud, Mail

This article, "iOS 15.4 Beta Adds Support for Setting Up Custom Email Domains With iCloud Mail" first appeared on MacRumors.com

Discuss this article in our forums

How to Prevent Emails From Tracking You in Apple Mail

Apple’s App Tracking Transparency feature is designed to allow users to opt out of the surreptitious tracking that third-party apps have traditionally relied on for ad targeting purposes. But tracking can go on in your email inbox, too.


Unsolicited marketing emails will sometimes know whether you’ve opened their email, and if so, when you did so. They can even know where you were at the time, thanks to tracking methods employed by marketing platforms like MailChimp.

The way they track is very discreet and kind of creepy. Embedded in the email will be a tracking pixel, often hidden within a signature image or a link. When the message is opened in your email client, code within the pixel silently sends this information back to the company.

Some email account providers attempt to limit this sort of tracking by routing images through proxy servers, for example, which hides your location. But there’s actually a simple way of preventing tracking pixels altogether, and that’s by disabling the automatic loading of images in your email client.

The following steps show you how to disable automatic image loading in Apple Mail for macOS, and below them, you’ll find instructions to do the same in iOS.

  1. Launch Apple Mail.
  2. Select Mail -> Preferences from the menu bar.

    mail
  3. Click the Viewing tab.
  4. Uncheck the box next to Load remote content in messages.

    mail

If you’re using Mail for iPhone or iPad, you can find the same setting in the Settings app. Tap Mail, look under “Messages,” and turn off the toggle next to Load Remote Images.

Tag: Mail

This article, “How to Prevent Emails From Tracking You in Apple Mail” first appeared on MacRumors.com

Discuss this article in our forums

Apple's App Tracking Transparency feature is designed to allow users to opt out of the surreptitious tracking that third-party apps have traditionally relied on for ad targeting purposes. But tracking can go on in your email inbox, too.


Unsolicited marketing emails will sometimes know whether you've opened their email, and if so, when you did so. They can even know where you were at the time, thanks to tracking methods employed by marketing platforms like MailChimp.

The way they track is very discreet and kind of creepy. Embedded in the email will be a tracking pixel, often hidden within a signature image or a link. When the message is opened in your email client, code within the pixel silently sends this information back to the company.

Some email account providers attempt to limit this sort of tracking by routing images through proxy servers, for example, which hides your location. But there's actually a simple way of preventing tracking pixels altogether, and that's by disabling the automatic loading of images in your email client.

The following steps show you how to disable automatic image loading in Apple Mail for macOS, and below them, you'll find instructions to do the same in iOS.
  1. Launch Apple Mail.

  2. Select Mail -> Preferences from the menu bar.
    mail
  3. Click the Viewing tab.

  4. Uncheck the box next to Load remote content in messages.
    mail
If you're using Mail for iPhone or iPad, you can find the same setting in the Settings app. Tap Mail, look under "Messages," and turn off the toggle next to Load Remote Images.
Tag: Mail

This article, "How to Prevent Emails From Tracking You in Apple Mail" first appeared on MacRumors.com

Discuss this article in our forums

New Apple Services Could Include ‘Podcasts+,’ ‘Stocks+,’ and ‘Mail+,’ Analysts Predict

A range of new Apple services could include “Podcasts+,” “Stocks+,” and “Mail+,” according to a new report by Loup Ventures analysts.

Apple’s subscription service products are increasingly important to its business model and is now almost the size of a Fortune 50 company by revenue, growing by 16 percent in 2020 to $53.7 billion. Loup Ventures highlights that Spotify accumulated 144 million paid subscribers over a period of 14 years, while Apple Music accumulated 85 million paid subscribers in just five years. “This illustrates the power of services built on top of default apps,” the report says.

Loup Ventures claims that there is room for a number of additions to Apple’s successful services segment. New subscriptions could be “hiding in plain sight,” being built upon existing apps, and in turn aid the continued growth and adoption of Apple’s products and services.

Podcasts+ would form a tier in the existing Podcasts app, offering a selection of exclusive premium shows. Spotify has moved aggressively into podcasts, acquiring the exclusive rights to popular shows and removing them from other services. Podcasts+ would enable Apple to claw back space within the field. Apple has been repeatedly rumored to be moving into exclusive podcasts, even holding talks to acquire podcast network Wondery before it was bought by Amazon.

According to the report, Podcasts+ is expected to be bundled as a part of Apple One as well as ‌Apple Music‌, with no added charge for existing paid subscribers. Podcasts+ would also help to “drive incremental interest” in ‌Apple Music‌ and ‌Apple One‌ as a result, “generating high-margin, recurring revenue.”

Stocks+ could build upon Apple’s move into personal finance with Apple Card, offering financial services such as investment accounts. Apple could “replicate its success with ‌Apple Card‌ and offer low-fee, private, secure, simple brokerage accounts,” and present integrated information on cost basis, market value, gain, and loss. In addition, Apple could offer trading services similar to Robinhood and robo-advisory services like Wealthfront.

Furthermore, Mail+ could be the first Apple service related to personal productivity. Taking cues from existing services such as Invisible and Calendly, Mail+ could offer advanced inbox management, automation, and scheduling.

The report also tentatively outlines two additional services titled “Maps+” and “Health+,” but provides much less information about what forms they could take. Maps+ could present advanced suggestions for destinations based on a desired outcome and be heavily integrated into the rumored Apple Car. Health+ could leverage the data Apple currently gathers via its Health app and present an offering that moves into digital healthcare and telemedicine.

Key to any new Apple services, the report explains, is a high level of integration. Apple Fitness+ serves as a case study of how an Apple service can move into a new space and offer a product that competitors are unable to match due to deep integration with existing products and services, such as the Apple Watch, Activity rings, and ‌Apple Music‌.

Loup Ventures believes that new Apple services will capture value in new ways and drive the company toward a three-trillion dollar market cap. The firm has also speculated in the past that Apple will launch a combined hardware and software subscription.

This article, “New Apple Services Could Include ‘Podcasts+,’ ‘Stocks+,’ and ‘Mail+,’ Analysts Predict” first appeared on MacRumors.com

Discuss this article in our forums

A range of new Apple services could include "Podcasts+," "Stocks+," and "Mail+," according to a new report by Loup Ventures analysts.



Apple's subscription service products are increasingly important to its business model and is now almost the size of a Fortune 50 company by revenue, growing by 16 percent in 2020 to $53.7 billion. Loup Ventures highlights that Spotify accumulated 144 million paid subscribers over a period of 14 years, while Apple Music accumulated 85 million paid subscribers in just five years. "This illustrates the power of services built on top of default apps," the report says.

Loup Ventures claims that there is room for a number of additions to Apple's successful services segment. New subscriptions could be "hiding in plain sight," being built upon existing apps, and in turn aid the continued growth and adoption of Apple's products and services.

Podcasts+ would form a tier in the existing Podcasts app, offering a selection of exclusive premium shows. Spotify has moved aggressively into podcasts, acquiring the exclusive rights to popular shows and removing them from other services. Podcasts+ would enable Apple to claw back space within the field. Apple has been repeatedly rumored to be moving into exclusive podcasts, even holding talks to acquire podcast network Wondery before it was bought by Amazon.

According to the report, Podcasts+ is expected to be bundled as a part of Apple One as well as ‌Apple Music‌, with no added charge for existing paid subscribers. Podcasts+ would also help to "drive incremental interest" in ‌Apple Music‌ and ‌Apple One‌ as a result, "generating high-margin, recurring revenue."

Stocks+ could build upon Apple's move into personal finance with Apple Card, offering financial services such as investment accounts. Apple could "replicate its success with ‌Apple Card‌ and offer low-fee, private, secure, simple brokerage accounts," and present integrated information on cost basis, market value, gain, and loss. In addition, Apple could offer trading services similar to Robinhood and robo-advisory services like Wealthfront.

Furthermore, Mail+ could be the first Apple service related to personal productivity. Taking cues from existing services such as Invisible and Calendly, Mail+ could offer advanced inbox management, automation, and scheduling.

The report also tentatively outlines two additional services titled "Maps+" and "Health+," but provides much less information about what forms they could take. Maps+ could present advanced suggestions for destinations based on a desired outcome and be heavily integrated into the rumored Apple Car. Health+ could leverage the data Apple currently gathers via its Health app and present an offering that moves into digital healthcare and telemedicine.

Key to any new Apple services, the report explains, is a high level of integration. Apple Fitness+ serves as a case study of how an Apple service can move into a new space and offer a product that competitors are unable to match due to deep integration with existing products and services, such as the Apple Watch, Activity rings, and ‌Apple Music‌.

Loup Ventures believes that new Apple services will capture value in new ways and drive the company toward a three-trillion dollar market cap. The firm has also speculated in the past that Apple will launch a combined hardware and software subscription.
This article, "New Apple Services Could Include 'Podcasts+,' 'Stocks+,' and 'Mail+,' Analysts Predict" first appeared on MacRumors.com

Discuss this article in our forums

Email Aliases Not Functioning Properly in iOS 14

Email aliases in the Mail app don’t appear to be functioning correctly in the iOS 14 update, according to multiple customer complaints on the MacRumors forums and the Apple Support Communities.


Affected customers have set up aliases in the Mail app for subscriptions, account signups, and more, as aliases are useful for concealing a primary email address and limiting unwanted messages. Those aliases are not working as intended as of the ‌iOS 14‌ update, with the Mail app on iPhone and iPad ignoring the preferred alias that’s selected when sending an email.

There appears to be no way for affected users to successfully control which alias is selected, leading to emails sent from unwanted addresses. A member of the Apple Support Communities describes the problem:

I have an IMAP account (not gmail) with a few aliases. I have been using this for YEARS and it’s always worked fine. Today, I sent my first email from ‌iOS 14‌ and it changed my from address after I sent the email. Note, the correct address was selected in Mail – it was changed during sending. I then sent some mails from other aliases, and those were also all wrong – never the right address.

I then double checked on my ‌iPad‌, and the same thing occurs. For now, I have just removed all aliases.

Many of the complaints are from iCloud users who are using aliases with Apple’s ‌iCloud‌ mail service, including those who have an older @mac.com or @me.com alias available to use with their @iCloud.com email addresses. Apple’s Mail app appears to default to the @iCloud.com email address instead of the properly selected @mac.com that some users prefer. From the MacRumors forums:

One of the few who still uses @mac.com for the email address. After the upgrade I am noticing that the from address defaults to @icloud.com even though the settings still points to @mac.com address. Not sure if anyone here is noticing that.

The problem also affects email aliases associated with non-iCloud accounts, including those set up with Gmail accounts, so there appears to be an issue with all email accounts that have an associated alias that causes the Mail app to pick a random “From” address.

There seems to be no fix or workaround at this time aside from disabling aliases, and as pointed out on the MacRumors forums, the problem continues to persist in the iOS 14.2 update that’s in beta testing. We expect iOS 14.2 to be in beta for at least another few weeks (likely until the iPhone 12 models launch) so there’s time for Apple to add additional bug fixes.

Related Roundups: iOS 14, iPadOS 14
Tag: Mail

This article, “Email Aliases Not Functioning Properly in iOS 14” first appeared on MacRumors.com

Discuss this article in our forums

Email aliases in the Mail app don't appear to be functioning correctly in the iOS 14 update, according to multiple customer complaints on the MacRumors forums and the Apple Support Communities.


Affected customers have set up aliases in the Mail app for subscriptions, account signups, and more, as aliases are useful for concealing a primary email address and limiting unwanted messages. Those aliases are not working as intended as of the ‌iOS 14‌ update, with the Mail app on iPhone and iPad ignoring the preferred alias that's selected when sending an email.

There appears to be no way for affected users to successfully control which alias is selected, leading to emails sent from unwanted addresses. A member of the Apple Support Communities describes the problem:
I have an IMAP account (not gmail) with a few aliases. I have been using this for YEARS and it's always worked fine. Today, I sent my first email from ‌iOS 14‌ and it changed my from address after I sent the email. Note, the correct address was selected in Mail - it was changed during sending. I then sent some mails from other aliases, and those were also all wrong - never the right address.

I then double checked on my ‌iPad‌, and the same thing occurs. For now, I have just removed all aliases.
Many of the complaints are from iCloud users who are using aliases with Apple's ‌iCloud‌ mail service, including those who have an older @mac.com or @me.com alias available to use with their @iCloud.com email addresses. Apple's Mail app appears to default to the @iCloud.com email address instead of the properly selected @mac.com that some users prefer. From the MacRumors forums:
One of the few who still uses @mac.com for the email address. After the upgrade I am noticing that the from address defaults to @icloud.com even though the settings still points to @mac.com address. Not sure if anyone here is noticing that.
The problem also affects email aliases associated with non-iCloud accounts, including those set up with Gmail accounts, so there appears to be an issue with all email accounts that have an associated alias that causes the Mail app to pick a random "From" address.

There seems to be no fix or workaround at this time aside from disabling aliases, and as pointed out on the MacRumors forums, the problem continues to persist in the iOS 14.2 update that's in beta testing. We expect iOS 14.2 to be in beta for at least another few weeks (likely until the iPhone 12 models launch) so there's time for Apple to add additional bug fixes.
Related Roundups: iOS 14, iPadOS 14
Tag: Mail

This article, "Email Aliases Not Functioning Properly in iOS 14" first appeared on MacRumors.com

Discuss this article in our forums

Gmail Users Bring Renewed Attention to Issue With Apple’s Mail App Popping Open Sporadically on Mac

In a blog post shared on Reddit, software engineer Philipp Defner has brought renewed attention to a years-old issue that results in Apple’s Mail app randomly popping open as the frontmost application on the Mac.


“If you are in full screen mode — like when you are giving a talk or watching a movie — it opens itself up in split view mode where it takes up half the screen while your other main window is being resized,” wrote Defner, in line with similar comments shared across the MacRumors Forums, Apple Support Communities, and elsewhere.

The issue appears to be related to a potential connectivity or syncing issue with certain Gmail accounts, with some users noting that creating an app-specific password for your Gmail account is an effective workaround. Other users simply keep the Mail app minimized in the Dock instead of closed entirely to avoid it from popping open sporadically.

Defner notes that the issue has been occurring since at least macOS Sierra and continues in macOS Catalina. Affected users are hopeful that Apple can implement a fix, although it is unclear if there is anything it can do on its end.

Tags: Gmail, Mail

This article, “Gmail Users Bring Renewed Attention to Issue With Apple’s Mail App Popping Open Sporadically on Mac” first appeared on MacRumors.com

Discuss this article in our forums

In a blog post shared on Reddit, software engineer Philipp Defner has brought renewed attention to a years-old issue that results in Apple's Mail app randomly popping open as the frontmost application on the Mac.


"If you are in full screen mode — like when you are giving a talk or watching a movie — it opens itself up in split view mode where it takes up half the screen while your other main window is being resized," wrote Defner, in line with similar comments shared across the MacRumors Forums, Apple Support Communities, and elsewhere.

The issue appears to be related to a potential connectivity or syncing issue with certain Gmail accounts, with some users noting that creating an app-specific password for your Gmail account is an effective workaround. Other users simply keep the Mail app minimized in the Dock instead of closed entirely to avoid it from popping open sporadically.

Defner notes that the issue has been occurring since at least macOS Sierra and continues in macOS Catalina. Affected users are hopeful that Apple can implement a fix, although it is unclear if there is anything it can do on its end.
Tags: Gmail, Mail

This article, "Gmail Users Bring Renewed Attention to Issue With Apple's Mail App Popping Open Sporadically on Mac" first appeared on MacRumors.com

Discuss this article in our forums

Apple Says Recently Discovered iOS Mail Vulnerabilities Pose No Immediate Threat, But a Patch Is in the Works

Apple has responded to a recent report on vulnerabilities discovered in its iOS Mail app, claiming the issues do not pose an immediate risk to users.


Earlier this week, San Francisco-based cybersecurity company ZecOps said it had uncovered two zero-day security vulnerabilities affecting Apple’s stock Mail app for iPhones and iPads.

One of the vulnerabilities was said to enable an attacker to remotely infect an iOS device by sending emails that consume a large amount of memory. Another could allow remote code execution capabilities. Successful exploitation of the vulnerabilities could potentially allow an attacker to leak, modify, or delete a user’s emails, claimed ZecOps.

However, Apple has downplayed the severity of the issues in the following statement, which was given to several media outlets.

“Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher’s report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance.”

The vulnerabilities are said to impact all software versions between iOS 6 and iOS 13.4.1. ZecOps said that Apple has patched the vulnerabilities in the latest beta of iOS 13.4.5, which should be publicly released within the coming weeks. Until then, ZecOps recommends using a third-party email app like Gmail or Outlook, which are apparently not impacted.

This article, “Apple Says Recently Discovered iOS Mail Vulnerabilities Pose No Immediate Threat, But a Patch Is in the Works” first appeared on MacRumors.com

Discuss this article in our forums

Apple has responded to a recent report on vulnerabilities discovered in its iOS Mail app, claiming the issues do not pose an immediate risk to users.


Earlier this week, San Francisco-based cybersecurity company ZecOps said it had uncovered two zero-day security vulnerabilities affecting Apple's stock Mail app for iPhones and iPads.

One of the vulnerabilities was said to enable an attacker to remotely infect an iOS device by sending emails that consume a large amount of memory. Another could allow remote code execution capabilities. Successful exploitation of the vulnerabilities could potentially allow an attacker to leak, modify, or delete a user's emails, claimed ZecOps.

However, Apple has downplayed the severity of the issues in the following statement, which was given to several media outlets.
"Apple takes all reports of security threats seriously. We have thoroughly investigated the researcher's report and, based on the information provided, have concluded these issues do not pose an immediate risk to our users. The researcher identified three issues in Mail, but alone they are insufficient to bypass iPhone and iPad security protections, and we have found no evidence they were used against customers. These potential issues will be addressed in a software update soon. We value our collaboration with security researchers to help keep our users safe and will be crediting the researcher for their assistance."
The vulnerabilities are said to impact all software versions between iOS 6 and iOS 13.4.1. ZecOps said that Apple has patched the vulnerabilities in the latest beta of iOS 13.4.5, which should be publicly released within the coming weeks. Until then, ZecOps recommends using a third-party email app like Gmail or Outlook, which are apparently not impacted.
This article, "Apple Says Recently Discovered iOS Mail Vulnerabilities Pose No Immediate Threat, But a Patch Is in the Works" first appeared on MacRumors.com

Discuss this article in our forums

Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

There’s a vulnerability in the macOS version of the Apple Mail app that leaves some of the text of encrypted emails unencrypted, according to a report from IT specialist Bob Gendler (via The Verge).

According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

In this email, Gendler demonstrates that the private key has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.

Gendler initially discovered the bug on July 29 and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina and earlier versions of macOS dating back to macOS Sierra.

Let me say that again… The snippets.db database is storing encrypted Apple Mail messages…completely, totally, fully — UNENCRYPTED — readable, even with ‌Siri‌ disabled, without requiring the private key. Most would assume that disabling ‌Siri‌ would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.

Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, and provided Gendler with instructions on preventing data from being stored by the snippets database.

This issue affects a limited number of people in practice, and is not something that macOS users should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It does not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple’s system files to look and have physical access to a machine.

Still, as Gendler points out, this particular vulnerability “brings up the question of what else is tracked and potentially improperly stored without you realizing it.”

Those concerned about this issue can prevent data from being collected in the snippets.db database by opening up System Preferences, choosing the ‌Siri‌ section, selecting ‌Siri‌ Suggestions & Privacy, choosing Mail and then turning off “Learn from this App.” This will stop new emails from being added to snippets.db but won’t remove those that have already been included.

Apple told The Verge that customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in ‌macOS Catalina‌. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability can be read in Gendler’s Medium article.

Tag: Mail

This article, “Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable” first appeared on MacRumors.com

Discuss this article in our forums

There's a vulnerability in the macOS version of the Apple Mail app that leaves some of the text of encrypted emails unencrypted, according to a report from IT specialist Bob Gendler (via The Verge).

According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

In this email, Gendler demonstrates that the private key has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.

Gendler initially discovered the bug on July 29 and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina and earlier versions of macOS dating back to macOS Sierra.
Let me say that again... The snippets.db database is storing encrypted Apple Mail messages...completely, totally, fully -- UNENCRYPTED -- readable, even with ‌Siri‌ disabled, without requiring the private key. Most would assume that disabling ‌Siri‌ would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.
Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, and provided Gendler with instructions on preventing data from being stored by the snippets database.

This issue affects a limited number of people in practice, and is not something that macOS users should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It does not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple's system files to look and have physical access to a machine.

Still, as Gendler points out, this particular vulnerability "brings up the question of what else is tracked and potentially improperly stored without you realizing it."

Those concerned about this issue can prevent data from being collected in the snippets.db database by opening up System Preferences, choosing the ‌Siri‌ section, selecting ‌Siri‌ Suggestions & Privacy, choosing Mail and then turning off "Learn from this App." This will stop new emails from being added to snippets.db but won't remove those that have already been included.

Apple told The Verge that customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in ‌macOS Catalina‌. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability can be read in Gendler's Medium article.

Tag: Mail

This article, "Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable" first appeared on MacRumors.com

Discuss this article in our forums

PSA: Apple Mail Bugs Can Lead to Data Loss in macOS Catalina

Michael Tsai, the developer of EagleFiler and the SpamSieve plug-in for Apple Mail on Mac, has written a blog post warning macOS users about potential data loss in Mail when upgrading to macOS Catalina 10.15.0 (build 19A583).

According to Tsai, he’s heard from several users that updating Mail’s data store from Mojave to Catalina sometimes says that it has succeeded, when in fact on closer inspection it turns out that large numbers of messages are incomplete or missing entirely.

In addition, users have reported the loss of message content when moving emails between mailboxes. From Tsai’s post:

Moving messages between mailboxes, both via drag-and-drop and AppleScript, can result in a blank message (only headers) on the Mac. If the message was moved to a server mailbox, other devices see the message as deleted. And eventually this syncs back to the first Mac, where the message disappears as well.

Tsai warns that these issues are particularly pernicious because users may not realize anything’s wrong unless they look at affected messages or mailboxes. Since the data is synced to the server, these problems can also propagate to other computers and devices, and relying on backups is difficult because Mail data is continually changing and there’s no easy way to merge restored data with messages received since the last backup.

Despite the latter risk, it’s still good practice to make backups, but Tsai notes that Apple Support appears to be erroneously advising users that lost Mail data in Catalina can’t be recovered from a Time Machine backup made using macOS Mojave.

According to Tsai, this is not the case: Apple Mail’s File -> Import Mailboxes… menu bar option can be used to selectively import them into Mail in Catalina as new local mailboxes.

Tsai says he’s unsure whether these issues are due to Mail bugs or to other factors such as problems on the Mac or with the mail server. Apple released ‌macOS Catalina‌ 10.15.1 beta to developers on Friday, but it’s still unclear if this version resolves the Mail app bugs. Regardless, Tsai’s advice to users who rely on Apple Mail is to “hold off on updating to Catalina for now.”

Affected readers can find the full breakdown of the issues here. Have you had problems with Mail since updating to Catalina? Let us know in the comments below.

Related Roundup: macOS Catalina
Tag: Mail

This article, “PSA: Apple Mail Bugs Can Lead to Data Loss in macOS Catalina” first appeared on MacRumors.com

Discuss this article in our forums

Michael Tsai, the developer of EagleFiler and the SpamSieve plug-in for Apple Mail on Mac, has written a blog post warning macOS users about potential data loss in Mail when upgrading to macOS Catalina 10.15.0 (build 19A583).

According to Tsai, he's heard from several users that updating Mail's data store from Mojave to Catalina sometimes says that it has succeeded, when in fact on closer inspection it turns out that large numbers of messages are incomplete or missing entirely.

In addition, users have reported the loss of message content when moving emails between mailboxes. From Tsai's post:
Moving messages between mailboxes, both via drag-and-drop and AppleScript, can result in a blank message (only headers) on the Mac. If the message was moved to a server mailbox, other devices see the message as deleted. And eventually this syncs back to the first Mac, where the message disappears as well.
Tsai warns that these issues are particularly pernicious because users may not realize anything's wrong unless they look at affected messages or mailboxes. Since the data is synced to the server, these problems can also propagate to other computers and devices, and relying on backups is difficult because Mail data is continually changing and there's no easy way to merge restored data with messages received since the last backup.

Despite the latter risk, it's still good practice to make backups, but Tsai notes that Apple Support appears to be erroneously advising users that lost Mail data in Catalina can't be recovered from a Time Machine backup made using macOS Mojave.

According to Tsai, this is not the case: Apple Mail's File -> Import Mailboxes... menu bar option can be used to selectively import them into Mail in Catalina as new local mailboxes.

Tsai says he's unsure whether these issues are due to Mail bugs or to other factors such as problems on the Mac or with the mail server. Apple released ‌macOS Catalina‌ 10.15.1 beta to developers on Friday, but it's still unclear if this version resolves the Mail app bugs. Regardless, Tsai's advice to users who rely on Apple Mail is to "hold off on updating to Catalina for now."

Affected readers can find the full breakdown of the issues here. Have you had problems with Mail since updating to Catalina? Let us know in the comments below.

Related Roundup: macOS Catalina
Tag: Mail

This article, "PSA: Apple Mail Bugs Can Lead to Data Loss in macOS Catalina" first appeared on MacRumors.com

Discuss this article in our forums

How to Flag Emails Using Different Colors on iPhone and iPad

In iOS 13 and iPadOS 13, Apple’s Mail app retains the swipe gestures of previous iOS versions that help you reduce the amount of time you spend managing messages in your inbox.

The basic inbox gestures still involve swiping right or left on an email to reveal tappable actions that you can perform instantly, without having to call up additional menus.

One of the default options that appear is the Flag action, which you might use to categorize a message that requests information needed by a certain date, for example.

Using only the swipe gesture, you’d be forgiven for thinking that the Mail app provides only one color to use when flagging emails, but iOS 13 actually introduces support for multicolor flags – it’s just hidden away in the menu that appears when you hit the Reply button.

mail
Tap the Flag button there, and you’ll reveal a submenu that allows you to choose one of seven colors, including the option to remove a flag. Note that whichever color you select here subsequently becomes the default color when you tap the Flag action or the More -> Mark… option via the inbox swipe gesture.

Did you know that you can customize the actions that appear when you use the Mail app’s inbox gestures? Click here to learn how.

Related Roundups: iOS 13, iPadOS
Tag: Mail

This article, “How to Flag Emails Using Different Colors on iPhone and iPad” first appeared on MacRumors.com

Discuss this article in our forums

In iOS 13 and iPadOS 13, Apple's Mail app retains the swipe gestures of previous iOS versions that help you reduce the amount of time you spend managing messages in your inbox.

The basic inbox gestures still involve swiping right or left on an email to reveal tappable actions that you can perform instantly, without having to call up additional menus.

One of the default options that appear is the Flag action, which you might use to categorize a message that requests information needed by a certain date, for example.

Using only the swipe gesture, you'd be forgiven for thinking that the Mail app provides only one color to use when flagging emails, but iOS 13 actually introduces support for multicolor flags – it's just hidden away in the menu that appears when you hit the Reply button.

mail
Tap the Flag button there, and you'll reveal a submenu that allows you to choose one of seven colors, including the option to remove a flag. Note that whichever color you select here subsequently becomes the default color when you tap the Flag action or the More -> Mark... option via the inbox swipe gesture.

Did you know that you can customize the actions that appear when you use the Mail app's inbox gestures? Click here to learn how.

Related Roundups: iOS 13, iPadOS
Tag: Mail

This article, "How to Flag Emails Using Different Colors on iPhone and iPad" first appeared on MacRumors.com

Discuss this article in our forums