Mac owners who regularly make use of OS X's built-in Mail application and Spotlight search should take care when searching through e-mail messages, as Spotlight's preview functionality has been shown to ignore Mail's remote content settings and could inadvertently transmit unintended data to email senders.
When a Mail user searches for and selects an e-mail message in Spotlight, the preview pane automatically loads and renders images embedded in HTML e-mails. Disabling Mail's "load remote content in messages" setting does not prevent this from happening, according to IDG News Service.
Most e-mail marketers track the downloading of images included in their messages, which allows senders to analyze open rates and collect basic subscriber information like IP address and browser version. Spotlight's automatic previews could expose this information even for users who are cognizant of the practice and attempt to disable it.
It should be noted that this functionality does not expose any information that would not otherwise be transmitted if the e-mail and images were opened in Mail or any other e-mail reader, such as Google's Gmail, though it could prove concerning for privacy-conscious users.
Until Apple addresses the issue, users can work around it by removing e-mail messages from Spotlight results. To do this, navigate to System Preferences → Spotlight and uncheck "Mail & Messages" in the list.
34 Comments
I presume this will be quickly remedied now that it's been exposed. One annoyance I find In Mavericks --- right-clicking on an email to identify it as spam/junk should not result in the loading of that email, it should immediately disappear to the Junk folder unread. Just my opinion.
Is Apple intentionally bypassing user privacy settings? /s ;)
[quote name="Gatorguy" url="/t/184248/apples-os-x-spotlight-found-to-ignore-e-mail-privacy-settings#post_2659482"]Is Apple intentionally bypassing user privacy settings? /s ;)[/quote] I guess we'll see if it gets patched up in a subsequent OS update. Then again, at least Apple actually [i]has[/i] meaningful privacy settings. [INDENT][URL=http://www.cnet.com/news/google-filing-says-gmail-users-have-no-expectation-of-privacy/]C|NET: Google Says Gmail Users Have No Expectation Of Privacy[/URL] [/INDENT] /s
They are too busy thinking of, and building, new features for their annual OS updates, that is turning everyone numb.
So, QA is understaffed and overworked and didn't run this security check.
Or, it was an acceptable bug to go out at shipping.
Sticking to web-based email access...
"Most e-mail marketers track the downloading of images included in their messages, which allows senders to analyze open rates and collect basic subscriber information like IP address and browser version. Spotlight's automatic previews could expose this information even for users who are cognizant of the practice and attempt to disable it.
It should be noted that this functionality does not expose any information that would not otherwise be transmitted if the e-mail and images were opened in Mail or any other e-mail reader, such as Google's Gmail, though it could prove concerning for privacy-conscious users."
So close to a non-issue and with the fix of simply deleting the thing without opening EVER. Then deleting the trash. Which I do regularly anyway. A point to iOS then where a swipe to delete doesn't open the message.