Joseph Cox, reporting for 404 Media:
404 Media is not revealing the exact details of the vulnerability
because it can still be exploited as of Monday, when 404 Media
verified the issue with one of our own hidden email addresses.“Apple Hide My Email is leaking email addresses that are supposed
to be hidden. We reported the issue and replication instructions
to Apple over a year ago. We don’t know why it hasn’t been fixed,
but we don’t feel comfortable waiting any longer. Hide My Email
users deserve to know that it may be possible for attackers to
discover their hidden email addresses,” Tyler Murphy, the
co-founder of EasyOptOuts, which discovered and reported the issue
to Apple, told 404 Media. […]To test the issue I generated a new Hide My Email address and
provided it to Murphy. Around five minutes later, he replied with
my real email address linked to my Apple account which was
supposed to be hidden.“We don’t know the full scope of the issue, but in our limited
tests with volunteers, 100% of Hide My Email addresses were
exploitable,” Murphy said.
Not good. Especially the “We reported the issue and replication instructions to Apple over a year ago” part. (Is this possibly related to the WWDC news that Apple is merging the domain names used for Sign In With Apple and Hide My Email? I can’t see why, but who knows?)
