Apple patches Mac bug that exposed encrypted emails: Details here
Finally, a long-existing security flaw exposing parts of encrypted emails has been patched in Apple's macOS. The issue was discovered all the way back in July by IT specialist Bob Gendler. However, even after Gendler's private disclosure and public report in the ensuing months, the Cupertino giant didn't issue a fix until last week. Here's more about the bug and its fix.
Encrypted Apple Mail messages exposed through macOS file
As Gendler wrote in a November blog post, macOS had been storing encrypted emails from Apple Mail inside a database file, called snippets.db, located in the user-level Library folder. This file, he said, was designed to help Siri suggest information to users but was found hosting email messages in plain text (without requiring a private key), even when the assistant was disabled.
Only partial messages were exposed
While highlighting the issue publicly, Gendler noted that the file in question didn't expose complete email messages, only a part of them. Plus, he emphasized that it affected only those individuals who used Apple Mail on macOS (four versions - from Sierra to the all-new Catalina) to send encrypted emails and had FileVault's whole drive encryption turned off.
Now, Apple has responded with a fix
Back in November, Apple had said that it would fix the issue with a future update of macOS. And now, after a three-month-long wait, the company has done just that. It recently released macOS Catalina 10.15.3, which, Gendler says, appears to have plugged the security flaw exposing encrypted Apple Mail emails. However, the company has not yet officially confirmed the same.
Gendler verified the macOS patch
While the release notes for the latest version do not say anything about preventing email exposure, the beta of the same version did note that encrypted emails will not appear in Spotlight searches. Beyond that, Gendler says that the database file that stored email snippets no longer did that and the AppleCare Enterprise Support team personally contacted him to inform about the released fix.
