It’s hard for me to assess how real this risk is. Without details, we’re just extrapolating from circumstantial vibes.
What’s described sounds like it might be spooky. It might also be a magic trick to some degree… Mr. Cox’s PoC—“I gave a fresh Hide-My-Email alias to a guy who knows who I am, and he told me the email on my Apple ID”—isn’t exactly watertight.
It also sounds like it might be the sort of thing that’s either “just how the email ecosystem works” or mitigable by covert means. For example, if Apple can identify exploit attempts from its privileged vantage over its infrastructure, maybe that’s the basis for its relaxed impact assessment.
I’m reminded of Amazon’s risk assessment with respect to some Quick bug recently [0]: “yeah, it’s bad, but we checked and there are literally zero people who have that feature switched on.”
Or maybe it’s the kind of thing that requires a structural sort of tradeoff to conclusively fix. I could imagine the exposure mechanism having something to do with their forthcoming move to segregate aliases to their own “private.icloud.com” domain. A move at which Mr. Cox swipes in the 404 Media article, too, of course, but hey—“impact journalism.”
And then, since we have only vibes to go on, there’s the judgment reflected in the researcher’s email to Apple:
> “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.
I can only hope that was a sardonic moment of frustration quoted out of context. But as-is, it’s giving a little bit of Chicken Little… I’m reminded of the time somebody demanded that a firm I’m familiar with halt all sales and pay hush money because of a CRITICAL SECURITY HOLE: you could access the contents of a password field by pressing F12 in the browser and typing $(“#pw-input”).value …
If the flaw really is the sort of thing that required fundamental product changes to fully address—like this domain segregation thing, a year doesn’t seem wild at all to make that transition safely and at scale. Especially if they identified effective mitigations in the meantime.
My guess would be it has nothing to do with email itself. Maybe it's some iCloud API that accepts obfuscated emails but returns the original email in the response, or an ID which can be used to retrieve the iCloud email from another API endpoint. Could be as simple as an "add contact/friend" feature in some Apple product (like a mail client, or a file sharing service) that resolves the obfuscated email to the original iCloud account.
I think "real email" address is underselling it, since that's commonly the apple-ID, which is the gateway to some people's whole digital existence. Not to mention the fact, you tend to use hidemyemail in particular for services you don't want any identity leaked to. The "real email" may contain your legal name already.
It’s hard for me to assess how real this risk is. Without details, we’re just extrapolating from circumstantial vibes.
What’s described sounds like it might be spooky. It might also be a magic trick to some degree… Mr. Cox’s PoC—“I gave a fresh Hide-My-Email alias to a guy who knows who I am, and he told me the email on my Apple ID”—isn’t exactly watertight.
It also sounds like it might be the sort of thing that’s either “just how the email ecosystem works” or mitigable by covert means. For example, if Apple can identify exploit attempts from its privileged vantage over its infrastructure, maybe that’s the basis for its relaxed impact assessment.
I’m reminded of Amazon’s risk assessment with respect to some Quick bug recently [0]: “yeah, it’s bad, but we checked and there are literally zero people who have that feature switched on.”
Or maybe it’s the kind of thing that requires a structural sort of tradeoff to conclusively fix. I could imagine the exposure mechanism having something to do with their forthcoming move to segregate aliases to their own “private.icloud.com” domain. A move at which Mr. Cox swipes in the 404 Media article, too, of course, but hey—“impact journalism.”
And then, since we have only vibes to go on, there’s the judgment reflected in the researcher’s email to Apple:
> “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.
I can only hope that was a sardonic moment of frustration quoted out of context. But as-is, it’s giving a little bit of Chicken Little… I’m reminded of the time somebody demanded that a firm I’m familiar with halt all sales and pay hush money because of a CRITICAL SECURITY HOLE: you could access the contents of a password field by pressing F12 in the browser and typing $(“#pw-input”).value …
If the flaw really is the sort of thing that required fundamental product changes to fully address—like this domain segregation thing, a year doesn’t seem wild at all to make that transition safely and at scale. Especially if they identified effective mitigations in the meantime.
[0] https://www.theregister.com/columnists/2026/05/13/aws-patche...
Is it based on mail undeliverable errors? Or attempts to login using IMAP or SMTP with it? Or is it exposed during the SMTP protocol?
As someone who doesn't rely on this feature, I'd love to know now as well, but perhaps the etiquette in public would be to align ourselves with:
> we will not discuss or disclose the details of the exploits until they're fixed.
But if there's a public forum where the cat's already out of the bag, then game on. Perhaps this:
https://www.reddit.com/r/apple/comments/1ukilw1/apple_hide_m...
My guess would be it has nothing to do with email itself. Maybe it's some iCloud API that accepts obfuscated emails but returns the original email in the response, or an ID which can be used to retrieve the iCloud email from another API endpoint. Could be as simple as an "add contact/friend" feature in some Apple product (like a mail client, or a file sharing service) that resolves the obfuscated email to the original iCloud account.
I think you should formally write to Apple and give notice of 30 days to contact you or you will reveal it.
Send it to the USA media and regulator too
archive link: https://archive.vn/mCbBw
I think "real email" address is underselling it, since that's commonly the apple-ID, which is the gateway to some people's whole digital existence. Not to mention the fact, you tend to use hidemyemail in particular for services you don't want any identity leaked to. The "real email" may contain your legal name already.
We put up a timeline of the disclosure here: https://easyoptouts.com/guides/apple-hide-my-email-is-leakin...
Thanks! We'll make that the main URL and put the submitted link in the toptext.
That's disappointing, both that the vulnerability exists in the first place, and that Apple takes over a year to not even fix it.