Apple’s "Hide My Email" Vulnerability Exposes Real Email Addresses Despite Privacy Promises
A critical unpatched vulnerability in Apple’s Hide My Email feature allows attackers to uncover the real email addresses behind anonymized aliases, undermining the tool’s core privacy protections. The flaw, discovered by researcher Tyler Murphy (co-founder of EasyOptOuts) and independently verified by 404 Media, remains exploitable more than a year after being reported to Apple.
Hide My Email, part of Apple’s iCloud+ subscription, generates unique relay addresses to shield users’ primary inboxes during sign-ups or app registrations. However, the vulnerability enables even low-skilled attackers to bypass this protection, exposing the original email tied to an alias. 404 Media confirmed the issue by testing it against one of its own hidden addresses, with the flaw persisting as of this week.
Murphy’s team provided Apple with detailed reproduction steps over a year ago under responsible disclosure practices, but the company has neither deployed a fix nor communicated mitigations to users. In response, Murphy and 404 Media have opted for partial disclosure warning the public while withholding exact exploitation methods to limit abuse.
The vulnerability poses significant risks for privacy-conscious users, including journalists, activists, and others relying on Hide My Email to compartmentalize identities and reduce tracking. By converting supposedly anonymous aliases into traceable links to real inboxes, the flaw increases exposure to targeted phishing, spam correlation, and deanonymization of accounts tied to sensitive activities. Exploitation requires no special privileges, making it accessible to a broad range of attackers.
Murphy emphasized the urgency of public awareness, stating, “We don’t know why [Apple] hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.” The incident underscores tensions between vendor inaction and the need for transparency in consumer privacy tools. Until Apple addresses the issue, users particularly those in high-risk categories are advised to treat Hide My Email aliases as potentially linkable to their real identities.
Source: https://cybersecuritynews.com/apple-hide-my-email-vulnerability/
Apple cybersecurity rating report: https://www.rankiteo.com/company/apple
"id": "APP1782915867",
"linkid": "apple",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Users of Apple’s *Hide My '
'Email* feature, particularly '
'journalists, activists, and '
'privacy-conscious individuals',
'industry': 'Technology',
'location': 'Cupertino, California, USA',
'name': 'Apple Inc.',
'size': 'Large',
'type': 'Technology Company'}],
'attack_vector': 'Exploitation of unpatched software flaw',
'customer_advisories': 'Users, especially journalists, activists, and '
'privacy-conscious individuals, are advised to assume '
'their real email addresses may be exposed if using '
'*Hide My Email*.',
'data_breach': {'personally_identifiable_information': 'Email addresses',
'sensitivity_of_data': 'High (real email addresses linked to '
'anonymized aliases)',
'type_of_data_compromised': 'Email addresses'},
'description': 'A critical unpatched vulnerability in Apple’s *Hide My Email* '
'feature allows attackers to uncover the real email addresses '
'behind anonymized aliases, undermining the tool’s core '
'privacy protections. The flaw enables low-skilled attackers '
'to bypass this protection, exposing the original email tied '
'to an alias. The vulnerability poses significant risks for '
'privacy-conscious users, including journalists, activists, '
'and others relying on *Hide My Email* to compartmentalize '
'identities and reduce tracking.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in Apple’s '
'privacy tools',
'data_compromised': 'Real email addresses behind anonymized '
'aliases',
'identity_theft_risk': 'Increased exposure to targeted phishing '
'and deanonymization',
'operational_impact': 'Undermines privacy protections for users',
'systems_affected': 'Apple’s *Hide My Email* feature'},
'investigation_status': 'Vulnerability disclosed but unpatched; investigation '
'ongoing by researcher and media',
'lessons_learned': 'Delays in vendor response to critical vulnerabilities can '
'necessitate public disclosure to protect users. Privacy '
'tools must be rigorously tested for edge-case flaws that '
'undermine their core functionality.',
'post_incident_analysis': {'corrective_actions': 'Apple should deploy a fix '
'for the vulnerability and '
'improve its vulnerability '
'disclosure response '
'process.',
'root_causes': 'Unpatched vulnerability in *Hide '
'My Email* feature, lack of timely '
'response from Apple'},
'recommendations': 'Apple should prioritize patching the vulnerability and '
'communicate transparently with users about risks. Users, '
'particularly those in high-risk categories, should treat '
'*Hide My Email* aliases as potentially linkable to their '
'real identities until a fix is deployed.',
'references': [{'source': '404 Media'},
{'source': 'Researcher Tyler Murphy (EasyOptOuts)'}],
'response': {'communication_strategy': 'Partial disclosure by researcher and '
'media to warn users while withholding '
'exact exploitation methods'},
'stakeholder_advisories': 'Apple has not issued official advisories or '
'mitigations. Researchers advise users to treat '
'*Hide My Email* aliases as potentially '
'compromised.',
'title': "Apple’s 'Hide My Email' Vulnerability Exposes Real Email Addresses "
'Despite Privacy Promises',
'type': 'Privacy Vulnerability',
'vulnerability_exploited': 'Unpatched vulnerability in Apple’s *Hide My '
'Email* feature'}