A security flaw in Apple's Hide My Email feature could expose users' real email addresses, rendering the privacy tool ineffective. According to researcher Tyler Murphy, the bug was discovered over a year ago and reported to Apple, but remains unpatched. Murphy, co-founder of EasyOptOuts, stated that in limited tests, 100% of generated Hide My Email addresses were exploitable. Technical details have been withheld to prevent abuse, but the researcher confirmed the vulnerability allows retrieving the real address even without accessing the iCloud account.
Hide My Email is a flagship privacy feature from Apple, introduced with iOS 15. It generates temporary, random addresses that forward messages to the user's real inbox. It is particularly useful for signing up for online services, newsletters, or purchases on untrusted sites. However, Murphy's discovery proves the protection can be bypassed. According to 404 Media, which verified the vulnerability, the issue is severe because many people-search sites can link an email address to other personal details such as name, physical address, and phone number. Those using Hide My Email for safety reasons, like journalists or activists, may be at heightened risk of exposure.
Sponsored Protocol
The Bug Found by Tyler Murphy Allows Tracing Back to User Identity
The exact mechanism has not been disclosed, but Murphy explained that the flaw exploits how Apple handles email forwarding. In practice, some external services can intercept the real address during the relay process. Tests on volunteers showed a 100% success rate, indicating the problem is systematic and not due to specific configurations. EasyOptOuts, Murphy's company, offers data removal from brokers, and the researcher emphasized that the combination of exposed data can have severe privacy consequences.
Sponsored Protocol
Apple Has Not Fixed the Problem After More Than a Year Since Report
Murphy alerted Apple about the flaw over a year ago, yet the company has not issued a fix. This delay raises questions about Apple's commitment to privacy. In the past, Apple has faced criticism for overpromising privacy. In 2022, a lawsuit alleged that iPhone apps continued to send analytics data to Apple even with the privacy setting disabled. In 2023, another study found that the MAC address anonymization feature was ineffective. These incidents, along with the Hide My Email bug, cast doubt on the robustness of Apple's protections.
Impact on Apple's Reputation as a Privacy Champion
Apple has built much of its brand on user data protection. A persistent bug like this could erode consumer trust. It is crucial for the company to address the vulnerability promptly and communicate transparently. Meanwhile, users should consider alternative methods to protect their online identity, such as using independent temporary email services or additional encryption tools. The incident shows that no protection is foolproof and vigilance remains essential.
Sponsored Protocol
For further reading, see how Claude Opus 4.7 helped a researcher find a flaw in Front Gate Tickets, another example of vulnerabilities emerging in different contexts. For more on digital privacy, visit Wikipedia's page on Apple and privacy.