OS X Yosemite Spotlight

An unusual oversight in how OS X’s Spotlight feature handles privacy settings in Apple Mail leaves the door open to spammers, phishers and online tracking companies who can obtain private data such as your IP address, current operating system version, browser details and more, whenever an email message is previewed in Spotlight.

First discovered by German technology news site Heise, the bug takes advantage of a common information harvesting technique and a Mail setting which determines whether or not the program loads remote content in emails.

If turned off, Mail won’t load images in newsletters, HTML-formatted marketing messages and other emails. Spotlight, a search feature available anywhere in OS X, for some reason does not honor this setting.

As a result, each time you preview an email message in Spotlight the system retrieves images stored on remote servers, regardless of Mail’s privacy setting. This isn’t of major concern when previewing legitimate marketing messages in Spotlight that you subscribed to.

OS X Yosemite Mail Load Remote Content

However, spammers and marketeers commonly use a technique called tracking pixels, which uses a link to a one-pixel-square GIF file that, when loaded, tells the server that you’ve received and opened the email. In turn, the server flags your email address as “alive” and from than point onward, you’ll receive even more unsolicited messages.

“What’s more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder,” notes Heise.

OS X Spotlight exclude Mail

The only way to mitigate this is to exclude Mail from your Spotlight search by unticking the Mail & Messages box in System Preferences > Spotlight, as shown above. You will of course lose some functionality because your emails will no longer pop up in Spotlight searches, but at least you’ll be on the safe side.

I’m sure Apple will address this in the next OS update now that the glitch has been publicized.

Also worth mentioning, this glitch doesn’t affect people like myself who use a third-party application such as Dropbox’s Mailbox, Google’s Sparrow or Mindsense’s Mail Pilot as their daily email driver.

Source: Heise

  • Buzz { Light:Year; }


  • blastingbigairs

    Hence why I pay $40 a year for a program called Private Internet Access to hide my IP address. Worth every penny!

    • Buzz { Light:Year; }


      • blastingbigairs

        VPN tunneling yes. PIA masks your real IP address with an anonymous IP addresses, effectively keeping websites and internet services from tracking your webbrowsing habits, monitoring what you search for, and discovering your geographic location. <— Direct quote from their site LOL!!

      • Buzz { Light:Year; }

        I’ll stick to pc

      • blastingbigairs

        I have both, but then I also have a Honda Civic and an Audi S4. We all know which one has the better build quality and performance.

      • Buzz { Light:Year; }

        Well build quality differs I can make my own pc

      • Buzz { Light:Year; }

        And make it look better than a Mac with much more power

      • blastingbigairs

        I have yet to see a PC that looks better than an iMac or MacBook, but I’ll take your works for it.

      • Buzz { Light:Year; }

        If you built your own to your preference than its better than a Mac for the person just face the fact the Mac aren’t the best

      • blastingbigairs

        Like I said, I’ll take your word for it, I’ve just never looked.

      • Haha, just FYI, if you log-in to an account on the tracking site (e.g. facecrook), doesn’t really matter if you hide your IP, they’ll still track you like normal using cookies. Only difference hiding your IP makes is it’ll fake your geolocation. If you actually want to avoid trackers in your web browser, I recommend you install Ghostery extension for your web browser.

      • blastingbigairs

        Will do thanks!

    • MagicHack

      The thing is that even if your ip adresse is hidden, they can still see that you opened the message and mark your adress as active

      • The thing is you can create filters to send their junk to your spam box (if they aren’t already there).

        In actuality if I’m reading this correctly all this bug accomplishes is the following:

        1. Gives somebody your ip address
        2. Tells somebody you’ve read their email message.

        This isn’t that big of a deal in the grand scheme of things but should still be fixed.

    • JaeM1llz

      It doesn’t matter what your IP is. They’re checking to see if your e-mail address is active. Unless you have a way of masking your e-mail address, this still affects you.

    • Timothy

      What an expensive VPN…

      • blastingbigairs

        Yea that $3.33 a month is killing me!!! LOL!!

  • DC

    Has this been fixed?