macOS Mail bug exposes portions of encrypted emails

By

MacMail
Your encrypted emails on Mac might not be as private as you think.
Photo: Apple

Apple failed to kill a bug in the Mail app for macOS for months despite its potential to expose private details in emails that the user thought was encrypted.

Security researcher Bob Gendler first discovered the flaw in July and notified Apple of it. Despite releasing four updates for macOS since that time, the privacy flaw still hasn’t been fixed. Apple says it’s working to resolve the issue soon though.

According to Gendler’s findings, macOS stores unencrypted fragments of encrypted emails in a file called snippets.db. The portions of the emails are used by Siri to make better suggestions to users. Only portions of the emails are exposed but the fact that Apple, a company that prides itself on its privacy stance, has left some information vulnerable is a big concern to Mail users.

email
An example of an exposed portion of an encrypted email.
Photo: Bob Gendler

An Apple spokesperson told The Verge that it’s aware of the issue and will address it in a future software update. Gendler says the bug can currently be found on macOS Catalina, Mojave, High Sierra, and Sierra.

This bug probably only affects a small percentage of Mac users. If you’re using FileVault, which encrypts your entire system then you’re safe. Apple Mail users that want to ensure their encrypted emails don’t get stored in snippets.db should go to System Preferences > Siri > Siri Suggestions & Privacy > Mail and toggle off the “Learn from this App” option.

Turning off the Siri learning feature only prevents new emails from being stored in snippets.db. To get rid of the old ones you may need to delete the entire snippets.db file. Apple hasn’t said when a fix will come down the pipeline.

Newsletters

Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.