Apple stakes a lot of its rep­u­ta­tion on how it pro­tects the pri­va­cy of its users, as it wants to be the only tech com­pa­ny you trust. But if you send encrypt­ed emails from Apple Mail, there’s cur­rent­ly a way to read some of the text of those emails as if they were unen­crypt­ed — and alleged­ly, Apple’s known about this vul­ner­a­bil­i­ty for months with­out offer­ing a fix.

Before we go any fur­ther, you should know this like­ly only affects a small num­ber of peo­ple. You need to be using macOS, Apple Mail, be send­ing encrypt­ed emails from Apple Mail, not be using Fil­e­Vault to encrypt your entire sys­tem already, and know exact­ly where in Apple’s sys­tem files to be look­ing for this infor­ma­tion. If you were a hack­er, you’d need access to those sys­tem files, too.

Apple tells The Verge it’s aware of the issue and says it will address it in a future soft­ware update. The com­pa­ny also says that only por­tions of emails are stored. But the fact that Apple is still some­how leav­ing parts of encrypt­ed emails out in the open, when they’re explic­it­ly sup­posed to be encrypt­ed, obvi­ous­ly isn’t good.

Only por­tions of emails are stored

The vul­ner­a­bil­i­ty was shared by Bob Gendler, an Apple-focused IT spe­cial­ist, in a Medi­um blog pub­lished on Wednes­day. Gendler says that while try­ing to fig­ure out how macOS and Siri sug­gest infor­ma­tion to users, he found macOS data­base files that store infor­ma­tion from Mail and oth­er apps which are then used by Siri to bet­ter sug­gest infor­ma­tion to users. That isn’t too shock­ing in and of itself — it makes sense that Apple needs to ref­er­ence and learn from some of your infor­ma­tion to pro­vide you bet­ter Siri sug­ges­tions.

But Gendler dis­cov­ered that one of those files, snippets.db, was stor­ing the unen­crypt­ed text of emails that were sup­posed to be encrypt­ed. Here’s an image he shared that’s help­ful to explain what’s going on:

Image: Bob Gendler

The cir­cle on the left is around an encrypt­ed email, which Gendler’s com­put­er is not able to read, because Gendler says he removed the pri­vate key which would typ­i­cal­ly allow him to do so. But in the cir­cle on the right, you can make out the text of that encrypt­ed email in snippets.db.

Gendler says he test­ed the four most recent macOS releas­es — Catali­na, Mojave, High Sier­ra, and Sier­ra — and could read encrypt­ed email text from snippets.db on all of them. I was able to con­firm the exis­tence of snippets.db, and found that it stored por­tions of some of my emails from Apple Mail. I couldn’t find a way to get snippets.db to store encrypt­ed emails I sent to myself, though.

There’s a way to stop emails from being col­lect­ed

Gendler first report­ed the issue to Apple on July 29th, and he says he didn’t get a response with a solu­tion from the com­pa­ny until Novem­ber 5th — 99 days lat­er — despite repeat­ed fol­low-ups. And even though Apple has updat­ed each of the four ver­sions of macOS where Gendler spot­ted the vul­ner­a­bil­i­ty in the months since he report­ed it, none of those updates con­tained a fix for the issue.

If you want to stop emails from being col­lect­ed in snippets.db right now, Apple tells us you can do so by going to Sys­tem Pref­er­ences > Siri > Siri Sug­ges­tions & Pri­va­cy > Mail and tog­gling off “Learn from this App.” Apple also pro­vid­ed this solu­tion to Gendler — but he says this solu­tion will only stop new emails from being added to snippets.db. If you want to make sure old­er emails that may be stored in snippets.db can no longer be scanned, you may need to delete that file, too.

If you want to avoid these unen­crypt­ed snip­pets poten­tial­ly being read by oth­er apps, you can avoid giv­ing apps full disk access in macOS Catali­na, accord­ing to Apple — and you prob­a­bly have very few apps with full disk access. Apple also says that turn­ing on Fil­e­Vault will encrypt every­thing on your Mac, if you want to be extra safe.

Again, this vul­ner­a­bil­i­ty prob­a­bly won’t affect that many peo­ple. But if you do rely on Apple Mail and believed your Apple Mail emails were 100 per­cent encrypt­ed, it seems that they’re not. As Gendler says, “It brings up the ques­tion of what else is tracked and poten­tial­ly improp­er­ly stored with­out you real­iz­ing it.”


Apple wants to be the only tech com­pa­ny you trust Illus­tra­tion by Alex Cas­tro / The Verge

Source link