Security & Privacy + Security News + Software & Apps

Spotlight Search in OS X Yosemite Falls Foul of Another Privacy Glitch

Posted on by

Spotlight search
Oh dear. Spotlight search on OS X Yosemite has another privacy problem.

You may remember that we raised concerns before about how Spotlight search in OS X Yosemite can leak your private information back to Apple, if you weren’t careful enough to change its default settings.

Now a new concern about OS X’s search feature has come to light, and it could help scammers, spammers and stalkers find out more about you than you would ever want.

The problem is connected to HTML email. Many spammers and online marketers have for many years embedded tiny tracking pixels into their HTML emails which load from a remote server. By checking their server logs, the sender can tell the IP address of anyone who viewed the message, how many times it was opened, and even—by appending a tag in the URL of the remote image being loaded in the user’s email client—know which specific email address opened it.

The information provided by a transparent tracking image does help legitimate online marketers measure the open-rate of their email campaigns, but it can hardly be considered anonymised data.

StalkerFurthermore, there’s one group of privacy-conscious computer users who have a particular need to hide their personal information. If you are being stalked, or have an abusive partner, the last thing you may want is for them to know your rough location.

And yet, a stalker could easily embed a tracking pixel into an email and be able to deduce (via details such as your IP address, the operating system you are using, and more) where you are most likely to be.

As a result, many users set their Mac Mail app to not “load remote content in messages.” In a nutshell, if the image doesn’t load—they can’t tell if you read the email or not, and they won’t be able to tell your IP address.

And you would think that would be the end of the matter.

But no.

Because even if you have disabled remote content, such as images, from being viewed in your Mac Mail app, Spotlight search completely ignores the privacy setting and can display the message in its search preview—including embedded images!

Surely you would have expected OS X to have respected the privacy setting you chose in Mail, rather than behaving entirely differently if the message pops up during a Spotlight search?

IDG reports that Spotlight search will even preview messages that have (perhaps quite rightly) ended up in your junk folder because of their dodgy nature:

The Spotlight preview loads those files even when users have switched off the “load remote content in messages” option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What’s more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.

And let’s not even start to contemplate the risks if a zero-day vulnerability was found in OS X’s handling of certain image types. Their display within Spotlight search could—in theory—result in your computer becoming infected by malware just by viewing the email, even when remote images in Mail are disabled.

Until Apple gets its act together and rolls out a security update, the best advice for those concerned is probably to revisit your Spotlight search settings and disable the searching of Mail & Messages.

Spotlight settings

To adjust your Spotlight search settings, open System Preferences and choose Spotlight. You should also probably take the time to read my earlier article about other privacy concerns with Spotlight in OS X Yosemite.

This probably isn’t a “sky is falling” security issue, but it should still be fixed. Let’s hope that Apple includes a patch for the problem in a future Software Update.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →