Apple’s Hide My Email feature is meant to protect users by creating random email addresses that forward messages to their real inbox, but a newly reported privacy flaw means attackers can discover the real email address linked to an Apple account.
404 Media said it verified the issue and confirmed that the flaw still worked when tested with one of its own hidden email addresses, although it did not publish technical details because the vulnerability can still be exploited.
Security researcher Tyler Murphy, co-founder of EasyOptOuts, said his team reported the issue to Apple more than a year ago after tests found that every generated Hide My Email address they checked allowed the real email address to be revealed.
Murphy said Apple first received the report in June last year and later claimed the issue had been fixed in March, but his follow-up testing showed that the problem remained active.
Apple then reportedly asked him not to reveal the flaw until it resolved the issue, but Murphy went public after the company missed its expected June fix timeline.
The report comes shortly after Apple announced that Hide My Email will use a new private.icloud.com domain in the future, a change that already raised concerns because companies can block that domain to limit the feature.