Apple confirms it fixed bug that stored parts of encrypted emails as readable text

Mac enthusiast and IT specialist Bob Gendler stumbled upon the bug in July 2019 and immediately reported it to Apple. When developers failed to issue a fix, Gendler publicly disclosed it in November.

Shortly after it was made known, Apple told The Verge they would push out a fix in “a future software update.” Cupertino’s slow reaction to the bug was likely due to all the conditions that had to be met before the emails could be read.

The bug is only present for those sending encrypted emails using Apple Mail on macOS. Furthermore, if FileVault is being used to encrypt the entire system, the snippets cannot be read. Lastly, someone would have to know where to look to find the files.

The partial emails were stored in a system database used for Siri suggestions, which is not easy to find. Not only that, an attacker would have to have root access to retrieve them.

Apple making the patch as a low priority is understandable given the circumstances, but what is puzzling is that the fix is not mentioned in the macOS release notes at all. Gendler points out that patch notes for betas of Catalina 10.15.3 indicate that encrypted emails will no longer appear in Spotlight searches. It might be that to fix the bug, Apple completely changed the way encrypted emails are indexed.

Gendler tested the update and discovered that encrypted emails are no longer handled by the database. Apple confirmed Wednesday that macOS 10.15.3 did indeed address the problem.

Permalink to story.