14 DAY TRIAL // A potential privacy flaw, which can reveal to the sender of an email private information regarding the recipient of the message, has been discovered in Spotlight, the system-wide search tool in OS X.
Spotlight is designed to index all items present on an OS X system in order to permit the user quick finding of a specific item.
To improve the search experience, the feature also provides a preview of certain file types, including emails. The moment the preview of an email is displayed, images available from external sources are also loaded.
Hidden images hosted on external servers track users
Marketers and phishing scammers often include pictures in their emails, for the purpose of learning if their message has been opened by the recipient, thus confirming that the address is currently active. By including small pics hosted on their servers, they log the machines that access the asset.
Oftentimes, the images are one pixel large, making them invisible to the user. An option in most email clients, Apple Mail included, allows blocking external content from being loaded when opening a message, specifically to avoid such tracking methods.
However, Spotlight cannot be configured to this effect and the option in Apple Mail does not extend to the previewing feature in Spotlight.
German security publication Heise (German) noticed this behavior, and on Friday it published an article on the matter, IDG News also confirming it.
When the external item is loaded, the administrator of the server hosting it receives information about the recipient, that would be useful not only for marketers but also for cybercriminals.
Hackers could adapt their attacks to the victim’s setup
The details leaked this way include the IP address of the machine that received the message, build number of the web browser used, as well as the version of the currently running operating system.
Based on this information, an attacker could devise methods of compromise suitable for specific configurations and also has the confirmation that the user checks their inbox. Moreover, in a targeted attack the interest of the target in a certain subject is crucial for the success of the operation.
One method to prevent the data leak is available for the users and it consists in disabling mail and messages from being shown in the search results list generated by Spotlight.
Alternatively, a plug-in is available for Quick Look, Apple’s preview feature, which prevents loading external content in the email preview and shows it in plain text only.
