Apple failed to kill a bug in the Mail app for macOS for months despite its potential to expose private details in emails that the user thought was encrypted.
Security researcher Bob Gendler first discovered the flaw in July and notified Apple of it. Despite releasing four updates for macOS since that time, the privacy flaw still hasn’t been fixed. Apple says it’s working to resolve the issue soon though.
According to Gendler’s findings, macOS stores unencrypted fragments of encrypted emails in a file called snippets.db. The portions of the emails are used by Siri to make better suggestions to users. Only portions of the emails are exposed but the fact that Apple, a company that prides itself on its privacy stance, has left some information vulnerable is a big concern to Mail users.
An Apple spokesperson told The Verge that it’s aware of the issue and will address it in a future software update. Gendler says the bug can currently be found on macOS Catalina, Mojave, High Sierra, and Sierra.
This bug probably only affects a small percentage of Mac users. If you’re using FileVault, which encrypts your entire system then you’re safe. Apple Mail users that want to ensure their encrypted emails don’t get stored in snippets.db should go to System Preferences > Siri > Siri Suggestions & Privacy > Mail and toggle off the “Learn from this App” option.
Turning off the Siri learning feature only prevents new emails from being stored in snippets.db. To get rid of the old ones you may need to delete the entire snippets.db file. Apple hasn’t said when a fix will come down the pipeline.