Question of the Day
One question per day to look beyond the headlines.
Where does Hide My Email’s privacy promise break—at the alias generator, or the proxy mapping behind it?
Take-away Hide My Email’s privacy fails when aliases remain deterministically linkable to the backend identity mapping, so knowing an alias lets attackers resolve the real address.
The privacy promise of Apple's Hide My Email seems to break at both the alias generator and the proxy mapping behind it. Vulnerabilities in the service allow attackers to potentially link alias addresses created by Hide My Email to users' real accounts or addresses. This is due to a vulnerability that exposes real email addresses from the generated alias addresses [1], [2], [3]. The issue can reportedly be exploited to reveal the real email addresses within minutes [3]. Additionally, despite intended privacy protections, all tested Hide My Email addresses were found to be exploitable, indicating that both the alias generator and the proxy mapping may be at fault [2], [3]. Apple acknowledges this issue and is reportedly investigating, but a final fix has yet to be released [3].
- Apple’s ‘Hide My Email’ Feature May Reveal Users’ Real Addresses gizmodo.com (opens in new tab)
- Apple's Hide My Email May Not Be Hiding Anything engadget.com (opens in new tab)
- Apple's Hide My Email feature might not be so private after all - Android Authority androidauthority.com (opens in new tab)