ClareNow
Search
ClareNow
Toggle sidebar
Cybersecurity ↓ Negative

Major Apple Bug Appears to Disclose All Real Emails for 'Hide My Email' Users

A vulnerability in Apple's privacy-focused iCloud Plus feature allows attackers to discover users' real email addresses.

CNET 2 min read 8/10
Major Apple Bug Appears to Disclose All Real Emails for 'Hide My Email' Users
Key Takeaways
  • A bug in Apple's Hide My Email feature for iCloud+ exposes users' real email addresses in message headers when they reply to forwarded emails.
  • The vulnerability was disclosed by CNET on March 26, 2025, based on findings from an unnamed security researcher; Apple has not yet commented on a fix.
  • Hide My Email generates random addresses that forward to a user's real iCloud account, designed to prevent companies from tracking the user's actual email.
  • The bug reportedly affects all iCloud+ subscription tiers, potentially impacting over 400 million subscribers worldwide.
  • Security experts recommend disabling Hide My Email for critical accounts and using temporary email services until Apple releases a patch.
A bug in Apple's privacy-centric Hide My Email feature is inadvertently disclosing the very information it was designed to protect: users' real email addresses. Discovered by security researchers and reported by CNET, the flaw affects iCloud+ subscribers who rely on Apple's anonymized email forwarding service. The bug, which surfaces in email headers, allows attackers to bypass the anonymity of Apple's proxy system and view the actual iCloud account behind a random address. Hide My Email, part of Apple's iCloud+ subscription, generates unique, random email addresses that forward messages to a user's real inbox. It is a cornerstone of Apple's privacy pitch, marketed as a way to sign up for services without revealing personal data. The vulnerability undermines that promise. According to CNET's reporting, the bug manifests when a user replies to or composes an email through the generated address. In certain scenarios, the real email address is embedded in the message headers, visible to any recipient with basic email inspection tools. This means that any sender who receives a reply from a Hide My Email address could potentially retrieve the user's actual address. The flaw impacts all iCloud+ tiers, which start at $0.99 per month and include users of Apple's paid storage plans. With over 400 million iCloud+ subscribers worldwide, the potential exposure is vast. Apple has not yet issued a public statement or released a patch. Security experts recommend that users disable Hide My Email for sensitive accounts until a fix is deployed. The Hide My Email bug is the latest in a series of privacy stumbles for Apple, which has built its brand around data protection. In 2021, the company introduced iCloud+ features including Private Relay and Hide My Email to differentiate itself from Google and Facebook. This vulnerability could erode user trust, especially among privacy-conscious customers. As of now, there is no confirmed timeline for a fix. Apple typically responds to such vulnerabilities with server-side changes or iOS updates. Users are advised to monitor Apple's security advisories and consider alternative temporary email services for high-stakes sign-ups. The incident underscores the fragility of even the most polished privacy features when bugs go undetected.

Frequently Asked Questions

A vulnerability in Apple's Hide My Email feature allows attackers to discover users' real email addresses. The bug appears when a user replies to an email sent to a random Hide My Email address, causing the real address to be exposed in email headers.

Hide My Email is a privacy feature in Apple's iCloud+ subscription. It generates unique, random email addresses that forward messages to the user's actual iCloud account. Users can create and delete these addresses at will.

All iCloud+ subscribers who use Hide My Email may be affected. The bug impacts any user who replies to or composes emails through a generated address, potentially revealing their real email to the recipient.

As of now, Apple has not released a patch or made an official statement. The company typically addresses such issues via server-side changes or iOS updates. Users should monitor Apple's security advisories.

Until Apple provides a fix, consider disabling Hide My Email for sensitive accounts. Use temporary email services for new sign-ups. Avoid replying to forwarded emails through generated addresses.

The bug compromises the privacy promise of Hide My Email. For non-critical accounts, the risk may be low, but for high-stakes privacy, it is advisable to use alternative methods until Apple releases a fix.

Original source

www.cnet.com

Read original

Discussion

Join the discussion

Sign in to post a comment or reply.

No comments yet. Be the first to share your thoughts!

Sign in
Enter your email to receive a one-time sign-in code. No password needed.
Email address