HeadlinesBriefing favicon HeadlinesBriefing.com

Apple Hide My Email Security Flaw Exposes User Addresses After Year-Long Unfixed Issue

Hacker News •
×

Apple's Hide My Email service, designed to protect iCloud+ users' real email addresses, contains security vulnerabilities that allow attackers to discover hidden addresses. The service generates random iCloud.com addresses as intermediaries, but researchers found methods to reverse-engineer the connection back to users' permanent emails.

The disclosure timeline reveals a year-long unresolved issue. Researchers reported the first vulnerability on June 11, 2025, with additional flaws found by July 9. Apple claimed fixes in March and June 2026, but verification using original reproduction steps confirmed the vulnerabilities persist. Despite multiple reports spanning over a year, no effective patch has been deployed.

The security implications extend beyond individual privacy concerns. Users who signed up for services using Hide My Email addresses may have unknowingly exposed their real identities. Many thanks to Joseph Cox at 404 Media for facilitating responsible disclosure. The researchers refuse to detail exploit methods until Apple resolves the issue, citing user protection.

Practical recommendations include limiting the attack surface by disabling new Hide My Email address creation. Apple should notify all users about potential exposure risks. Until fixes deploy, Hide My Email users should assume their anonymity isn't guaranteed and reconsider using the service for sensitive registrations.