cognitive cybersecurity intelligence

News and Analysis

Search

Apple ‘Hide My Email’ Vulnerability Exposes Users’ Real Email Addresses

Apple ‘Hide My Email’ Vulnerability Exposes Users’ Real Email Addresses

Apple’s “Hide My Email” feature is currently affected by an unpatched vulnerability that allows attackers to discover the real email address behind an anonymized alias, according to researcher Tyler Murphy and independent tests by 404 Media.

Apple’s Hide My Email, part of iCloud+, generates unique relay addresses intended to keep a user’s primary inbox private during sign‑ups and app registrations.

According to Murphy, co‑founder of EasyOptOuts, a flaw in this mechanism enables almost anyone with limited technical skill to uncover the underlying real email address that should remain hidden.

Apple ‘Hide My Email’ Vulnerability

404 Media reports that the issue was validated against one of its own hidden addresses and remained exploitable as of Monday, more than a year after it was first reported to Apple.

EasyOptOuts discovered the vulnerability and provided Apple with detailed reproduction instructions over a year ago, in accordance with standard responsible disclosure practices. Despite this, Apple has not deployed a fix or communicated mitigations to affected users, leaving the weakness active in production services.

With the bug still exploitable, 404 Media and Murphy have opted for partial disclosure: warning the public while withholding exact exploitation steps to prevent trivial abuse.

Hide My Email is widely used by privacy‑conscious users who rely on Apple’s ecosystem to compartmentalize identities across services and reduce tracking and spam.

The vulnerability undermines that trust boundary by turning supposedly opaque aliases into weak pseudonyms that can be resolved back to the real mailbox, increasing the risk of targeted phishing, spam correlation, and deanonymization of accounts tied to sensitive activities.

Because exploitation does not require elevated privileges or insider access, the threat model extends to ordinary attackers who can systematically enumerate or probe Hide My Email addresses.

“We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer,” Murphy told 404 Media, stressing that Hide My Email users “deserve to know that it may be possible for attackers to discover their hidden email addresses.”

The decision highlights a growing tension between vendor silence and the need for actionable transparency in consumer privacy tools. Until Apple addresses the flaw, journalists, activists, and other high‑risk users should treat Hide My Email aliases as linkable to their real email identity and adjust their operational security accordingly.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Apple ‘Hide My Email’ Vulnerability Exposes Users’ Real Email Addresses appeared first on Cyber Security News.

Source: cybersecuritynews.com –

Subscribe to newsletter

Subscribe to HEAL Security Dispatch for the latest healthcare cybersecurity news and analysis.

More Posts