![\"Spotlight](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2015\/01\/spotlight-600x300.jpeg\")
\nOh dear. Spotlight search on OS X Yosemite has another privacy problem.<\/p>\n
\nOh dear. Spotlight search on OS X Yosemite has another privacy problem.<\/p>\n
You may remember that we raised concerns before about how Spotlight search in OS X Yosemite can leak your private information back to Apple<\/a>, if you weren’t careful enough to change its default settings.<\/p>\n Now a new concern about OS X’s search feature has come to light, and it could help scammers, spammers and stalkers find out more about you than you would ever want.<\/p>\n The problem is connected to HTML email. Many spammers and online marketers have for many years embedded tiny tracking pixels into their HTML emails which load from a remote server. By checking their server logs, the sender can tell the IP address of anyone who viewed the message, how many times it was opened, and even\u2014by appending a tag in the URL of the remote image being loaded in the user’s email client\u2014know which specific email address opened it.<\/p>\n The information provided by a transparent tracking image does help legitimate online marketers measure the open-rate of their email campaigns, but it can hardly be considered anonymised data.<\/p>\n And yet, a stalker could easily embed a tracking pixel into an email and be able to deduce (via details such as your IP address, the operating system you are using, and more) where you are most likely to be.<\/p>\n As a result, many users set their Mac Mail app to not “load remote content in messages.” In a nutshell, if the image doesn’t load\u2014they can’t tell if you read the email or not, and they won’t be able to tell your IP address.<\/p>\n And you would think that would be the end of the matter.<\/p>\n But no.<\/p>\n Because even if you have disabled remote content, such as images, from being viewed in your Mac Mail app, Spotlight search completely ignores the privacy setting and can display the message in its search preview\u2014including embedded images!<\/strong><\/p>\n Surely you would have expected OS X to have respected the privacy setting you chose in Mail, rather than behaving entirely differently if the message pops up during a Spotlight search?<\/p>\n IDG reports<\/a> that Spotlight search will even preview messages that have (perhaps quite rightly) ended up in your junk folder because of their dodgy nature:<\/p>\n The Spotlight preview loads those files even when users have switched off the \u201cload remote content in messages\u201d option in the Mail app, a feature often disabled to prevent email senders from knowing if an email has arrived and if it has been opened. What\u2019s more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder.<\/p><\/blockquote>\n And let’s not even start to contemplate the risks if a zero-day vulnerability was found in OS X’s handling of certain image types. Their display within Spotlight search could\u2014in theory\u2014result in your computer becoming infected by malware just by viewing the email, even when remote images in Mail are disabled.<\/p>\n Until Apple gets its act together and rolls out a security update, the best advice for those concerned is probably to revisit your Spotlight search settings and disable the searching of Mail & Messages.<\/p>\n To adjust your Spotlight search settings, open System Preferences<\/strong> and choose Spotlight<\/strong>. You should also probably take the time to read my earlier article about other privacy concerns with Spotlight in OS X Yosemite<\/a>.<\/p>\n This probably isn’t a “sky is falling” security issue, but it should still be fixed. Let’s hope that Apple includes a patch for the problem in a future Software Update.<\/p>\n","protected":false},"excerpt":{"rendered":" Good news for stalkers, spammers and scammers. Even if Mac users have told Mail not to load remote content in the messages they receive, Spotlight may be spilling the beans and sharing your private information.<\/p>\n","protected":false},"author":34,"featured_media":35416,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[13,5,11],"tags":[275,174,1822,168,1435,106,124,285],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n![\"Stalker\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2015\/01\/stalker-170.jpeg\")
Furthermore, there’s one group of privacy-conscious computer users who have a particular need to hide their personal information. If you are being stalked, or have an abusive partner, the last thing you may want is for them to know your rough location.<\/p>\n![\"Spotlight](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2015\/01\/spotlight-disable-mail.jpeg\")
<\/p>\n