Reports suggest a glitch in Apple’s OS X Yosemite is making it possible for spammers to steal IP addresses and other private data from unsuspecting users. As spotted by the German tech outlet Heise, the issue appears to be with Apple’s built-in Spotlight search and the way it treats Apple Mail results.
The glitch was replicated successfully when tested by IDG News Service and has to do with the way Spotlight will ignore user privacy options from within Apple Mail. The company suggests users turn off “load remote content in messages" from within their Mail settings in order to avoid tracking pixels and other scams that spammers might attempt in order to steal private information.
The problem is that when users search for something in Spotlight that brings back a Mail message of malicious nature, the remote content selection is ignored and the files are loaded up as part of the results. If a tracking pixel or something of the sort is loaded in this way, onlookers can easily pull IP addresses, system info, browser history/details and other things they shouldn’t be able to access.
At this point, there has been no response from Apple regarding the Spotlight vulnerability, but there are things Apple Mail users can do to protect themselves in the mean time. It looks as though the best way is to simply block Spotlight from accessing Mail content manually. Go to System Preferences, then into the Spotlight options where you’ll find a list of content that will be included in results, and then uncheck the "Mail & Messages" option.