A vulnerability in Apple’s “Hide My Email” tool lets almost anyone discover a person’s real email address that is supposed to be hidden by the feature, and Apple has failed to fix it for more than a year, according to a security researcher and 404 Media’s own tests.
404 Media is not revealing the exact details of the vulnerability because it can still be exploited as of Monday, when 404 Media verified the issue with one of our own hidden email addresses.
Hide My Email, part of Apple’s iCloud+ subscription, generates random @icloud.com addresses that forward to your real inbox—letting you sign up for services without revealing your actual email address. I seldom use Hide My Email because my email address is already all over the Internet, but this seems like a “you had one job” situation. It’s a particularly bad look for Apple to have ignored this reported vulnerability for over a year, and I suspect the company will fix it soon due to all the negative press now that it’s public. In other (possibly related?) Hide My Email news, TechCrunch recently reported that Apple plans to change the generated email addresses to the @private.icloud.com domain, which would make it trivial for apps and websites to identify and block Hide My Email addresses.
I was going to ask a question about using hide my email. When Comcast emptied my Inbox, some of my email went into the Spam folder. One of them was a company I want to receive email from, but the only way to contact them is to sign up for their newsletter again. I did that using my only email address. Apparently, that isn’t going to work. So I thought about making up a “hide my email” email. Since it will go into my only Comcast Inbox, would that work?
I agree that my email address is easily found (and I do not use Hide My Email). However, I do add “+uniqueID” to my email address username for most new business contacts. (For example, if my real email address is myname@domain.com, I would use myname+uniqueID@domain.com when registering with the business. Of course, I use a different uniqueID for each business.) This has three advantages.
Sites that use my email address as my loginID get a loginID that is different from my basic email address. If my loginID at one site is compromised, it cannot be used at a different site. [Edit. I believe this would solve @janesprando’s issue.]
If I receive emails concerning more than one account from a business, it lets me tell which account the email concerns.
If the business shares my email with some other business, I can tell where the second business got my address. (Well, not always. The second business could share the address with a third business, and so on.)
Question. Can I use a Hide My Email address when registering at a business web site? In other words, can Hide My Email addresses be associated with specific web sites so that a Hide My Email address could serve the same functions as my +uniqueID scheme? Thanks.
This is probably not as effective as it once was, since almost everyone knows you can strip out the plus and everything after to get the real email address.
If you own your own email domain, as I do, you can usually add email alias addresses ad infinitum without additional cost. Anytime I need a throwaway address, I can just create a new address@mydomain.com. My email host is set to route all unknown email addresses on my domain to a specific mailbox, so I don’t even have to create a specific alias. I can strip it out if I need to with either a client-side filter or by creating an alias that’s automatically rejected by the server.