Thanks for everything y'all do with Easy Opt Outs. I've put a number of family members and acquaintances onto it. I'm glad this service exists at an actually affordable rate
Can you please clarify whether this is only an issue if I reply to an email sent to one of my HME addresses or whether you can unmask any HME address w/o needing a reply from the recipient.
Can you also clarify whether it matters what the forwarding address is? e.g. whether my HME addresses forward to an icloud.com address (e.g. js2@icloud.com) or say a personal domain associated with my Apple ID (e.g. js2@example.org).
I've been going back and forth with Apple about it for a year. We don't feel comfortable releasing the exploit details even though they're being slow. We think enough people rely on Hide My Email for personal safety that it would be irresponsible.
I think "real email" address is underselling it, since that's commonly the apple-ID, which is the gateway to some people's whole digital existence. Not to mention the fact, you tend to use hidemyemail in particular for services you don't want any identity leaked to. The "real email" may contain your legal name already.
It’s hard for me to assess how real this risk is. Without details, we’re just extrapolating from circumstantial vibes.
What’s described sounds like it might be spooky. It might also be a magic trick to some degree… Mr. Cox’s PoC—“I gave a fresh Hide-My-Email alias to a guy who knows who I am, and he told me the email on my Apple ID”—is consistent with the claimed behavior but not exactly watertight.
It also sounds like it might be the sort of thing that’s either “just how the email ecosystem works” or mitigable by covert means. For example, if Apple can identify exploit attempts from its privileged vantage over its infrastructure, maybe that’s the basis for its relaxed impact assessment.
I’m reminded of Amazon’s risk assessment with respect to some Quick bug recently [0]: “yeah, it’s bad, but we checked and there are literally zero people other than you who’ve ever used that feature that way.”
Or maybe it’s the kind of thing that requires a structural sort of tradeoff to conclusively fix. I could imagine the exposure mechanism having something to do with their forthcoming move to segregate aliases to their own “private.icloud.com” domain.
(A move at which Mr. Cox swipes in the 404 Media article, too, of course, but hey—“impact journalism.”)
And then, since we have only vibes to go on, there’s the judgment reflected in the researcher’s email to Apple:
> “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.
I can only hope that was a sardonic moment of frustration quoted out of context… Hide My Email is “sold” as a tiny tiny bonus feature of a much bigger iCloud+ product. But as-quoted, it’s giving a little bit of Chicken Little… I’m reminded of the time somebody demanded that a firm I’m familiar with halt all sales (and pay hush money) because of a CRITICAL SECURITY HOLE: you could access the contents of a password field by typing the password in the field, pressing F12 in the browser, and typing $(“#pw-input”).value …
If the flaw really is the sort of thing that required fundamental product changes to fully address—like this domain segregation thing—a year doesn’t seem wild at all to make that transition safely and at scale. Especially if they identified effective mitigations in the meantime.
I use this feature often and I'm very disappointed. Depending on the exploit, I'm awaiting to join a class action lawsuit. I'm constantly humiliated by believing Big Tech's security promises and I've had enough. I suspect that this is yet another intentional backdoor. When these security systems fail, people like me experience violence.
As someone who uses this feature I never send messages from a hide my email address as I only use it for random email signups. Am I still at risk of having my email exposed??? It’s also handy for using for free trials lol.
I guess the vulnerability should work as follows (I haven't tried it), you send an email with a very large attachment to a "hide my email" address, the server that receives it (private.icloud.com) forwards it to the email server registered in iCloud which, being the very large attachment, sends a response email (from the real address) with the rejected email message. It's the first thing I would try.
31 comments
[ 1.1 ms ] story [ 42.2 ms ] threadTo me it seems, at least in this instance there is not even an exploit needed and the feature apparently is just broken beyond belief.
Can you also clarify whether it matters what the forwarding address is? e.g. whether my HME addresses forward to an icloud.com address (e.g. js2@icloud.com) or say a personal domain associated with my Apple ID (e.g. js2@example.org).
Send it to the USA media and regulator too
What’s described sounds like it might be spooky. It might also be a magic trick to some degree… Mr. Cox’s PoC—“I gave a fresh Hide-My-Email alias to a guy who knows who I am, and he told me the email on my Apple ID”—is consistent with the claimed behavior but not exactly watertight.
It also sounds like it might be the sort of thing that’s either “just how the email ecosystem works” or mitigable by covert means. For example, if Apple can identify exploit attempts from its privileged vantage over its infrastructure, maybe that’s the basis for its relaxed impact assessment.
I’m reminded of Amazon’s risk assessment with respect to some Quick bug recently [0]: “yeah, it’s bad, but we checked and there are literally zero people other than you who’ve ever used that feature that way.”
Or maybe it’s the kind of thing that requires a structural sort of tradeoff to conclusively fix. I could imagine the exposure mechanism having something to do with their forthcoming move to segregate aliases to their own “private.icloud.com” domain.
(A move at which Mr. Cox swipes in the 404 Media article, too, of course, but hey—“impact journalism.”)
And then, since we have only vibes to go on, there’s the judgment reflected in the researcher’s email to Apple:
> “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.
I can only hope that was a sardonic moment of frustration quoted out of context… Hide My Email is “sold” as a tiny tiny bonus feature of a much bigger iCloud+ product. But as-quoted, it’s giving a little bit of Chicken Little… I’m reminded of the time somebody demanded that a firm I’m familiar with halt all sales (and pay hush money) because of a CRITICAL SECURITY HOLE: you could access the contents of a password field by typing the password in the field, pressing F12 in the browser, and typing $(“#pw-input”).value …
If the flaw really is the sort of thing that required fundamental product changes to fully address—like this domain segregation thing—a year doesn’t seem wild at all to make that transition safely and at scale. Especially if they identified effective mitigations in the meantime.
Then again, maybe they really are negligent…
[0] https://www.theregister.com/columnists/2026/05/13/aws-patche...
They don't seem to know or care what is going on with their own email systems.
https://github.com/webmonch/hide-my-mail-cloudflare
Apple is about to make Hide My Email useless
https://news.ycombinator.com/item?id=48559935
https://www.apple.com/feedback/icloud/