We usually see Apple boasting about its seemingly robust security and privacy measures. Nonetheless, like any other technology, Apple products are also vulnerable to security bugs. Recently, a researcher found that Apple Mail on macOS stores encrypted emails of the users in plain text. What’s even weirder with this issue is that Apple hasn’t fixed the glitch yet despite knowing about it for months.
Apple Mail Stores Encrypted Emails
According to the researcher Bob Gendler, Apple Mail stored encrypted emails of the users in unencrypted form on macOS. Sharing his findings via a Medium blog post, the researcher explained that this glitch happens even when Siri isn’t active. The researcher confirmed the program stored –
“completely, totally, fully — UNENCRYPTED — readable” emails.
As elaborated, this issue mainly affects Apple Mail on macOS, where the glitch arises in how Siri and macOS suggest contacts to the users. Gendler was investigating this feature when he noticed a folder including numerous database files.
This led me to the process called suggestd, run by the system level LaunchAgent com.apple.suggestd, and the Suggestions folder in the user-level Library folder, which contains multiple files and some potentially important database files (.db files).
These databases primarily contribute to suggesting contacts as they store information from Apple Mail and other apps.
Eventually, the researcher noticed that one such database file snippets.db stored encrypted emails in an entirely unencrypted form. This activity continued even with disabled Siri.
It means that anyone could view those messages, that should supposedly have been encrypted, without the need for any private key. Hence, the entire effort of sending encrypted emails goes in vain.
Consequently, the researcher considered this activity as an incident of information exposure. Also, he busted the myth that a disabled Siri stops data collection on macOS.
Likewise, he also found another database file, entities.db, storing other records, such as users’ names, contact numbers, and emails. It also stores phone numbers extracted from email messages and signatures, even when a user does not have stored the number on his device.
This issue specifically affects all recent macOS versions, Mojave, Catalina, Sierra, and High Sierra.
Possible Mitigations
Strangely, Apple already knows the issue for several months since Gendler reported it to Apple in July 2019. However as it currently stands, over 100 days from the report and back to back security updates to the affected devices, Apple still hasn’t patched the bug yet.
Though, according to The Verge, Apple has promised to fix the bug in a future software update.
Fortunately, the researcher has shared some ways through which the users can mitigate the bug.
- Adjust device settings this way: System Preferences → Siri →Siri Suggestions & Privacy. Then uncheck the Apple Mail option.
- Disable Siri from learning by running this command in Terminal: defaults write com.apple.suggestions SiriCanLearnFromAppBlacklist -array com.apple.mail
- Deploy a System-level configuration profile for all users to manage Siri. The researcher recommends this option as the only viable option to disable Siri on macOS.
Moreover, users trying any of these options should also delete the snippets.db file to delete the stored emails.
Let us know your thoughts in the comments.