Troubling macOS Mail app flaw dents Apple’s new privacy push

Apple launched a brand new privacy offensive this week, with a revamped website designed to promote the company’s vow that it is head and shoulders above the rest when it comes to keeping your data safe.

Trouble is, when you go all-out like that, you kind of have to live up to it. And word of a flaw that could expose Mac users’ encrypted emails probably wasn’t welcomed at Infinite Loop. Apple has vowed to fix the admittedly obscure issue that leaves the macOS stock Mail app vulnerable from the current Catalina release, all the way back to 2016’s Sierra.

Related: Best MacBook 2019

The issue was discovered by IT specialist Bob Gendler, who posted his findings to his Medium blog. Worryingly, he reported the issue to Apple way back on July 29, which means Apple has known about it for some time now.

Gendler says he discovered that a database file used by Siri was gobbling up text from emails, potentially leaving them accessible to a hacker who gained access to a Mac. There are some pretty specific circumstances to be met in order to fall victim to the vulnerability, though, so it’s unlikely many users have been exposed.

If you are encrypting your whole hard drive in FileVault, for instance, you’re fine. You also have to be using and sending encrypted messages from the Mail app. The problem does not affect those who’re using third-party email clients.

As a workaround, discovered by Gendler, it’s possible to remove Mail from the troublesome snippets.db file accessed by Siri. All you need to do is head to System Preferences > Siri > Siri Suggestions & Privacy > Mail. Then you can turn off the “learn from this app” option for the Mail app.

Apple hasn’t said if anybody has been affected by the bug and did not tell The Verge when the fix will roll out. What’s more worrying is the 100 days Apple knew about the vulnerability before pledging to do something about it.