An unusual oversight in how OS X’s Spotlight feature handles privacy settings in Apple Mail leaves the door open to spammers, phishers and online tracking companies who can obtain private data such as your IP address, current operating system version, browser details and more, whenever an email message is previewed in Spotlight.
First discovered by German technology news site Heise, the bug takes advantage of a common information harvesting technique and a Mail setting which determines whether or not the program loads remote content in emails.
If turned off, Mail won’t load images in newsletters, HTML-formatted marketing messages and other emails. Spotlight, a search feature available anywhere in OS X, for some reason does not honor this setting.
As a result, each time you preview an email message in Spotlight the system retrieves images stored on remote servers, regardless of Mail’s privacy setting. This isn’t of major concern when previewing legitimate marketing messages in Spotlight that you subscribed to.
However, spammers and marketeers commonly use a technique called tracking pixels, which uses a link to a one-pixel-square GIF file that, when loaded, tells the server that you’ve received and opened the email. In turn, the server flags your email address as “alive” and from than point onward, you’ll receive even more unsolicited messages.
“What’s more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder,” notes Heise.
The only way to mitigate this is to exclude Mail from your Spotlight search by unticking the Mail & Messages box in System Preferences > Spotlight, as shown above. You will of course lose some functionality because your emails will no longer pop up in Spotlight searches, but at least you’ll be on the safe side.
I’m sure Apple will address this in the next OS update now that the glitch has been publicized.
Also worth mentioning, this glitch doesn’t affect people like myself who use a third-party application such as Dropbox’s Mailbox, Google’s Sparrow or Mindsense’s Mail Pilot as their daily email driver.