A database in Apple’s MacOS stores encrypted email messages in a plain text format, according to a researcher who says he reported the problem to the company months ago.
Bob Gendler, a Mac expert and an IT specialist at the National Institute of Standards and Technology, published a Medium post on Nov. 6 detailing how, if a customer sends encrypted emails via Apple Mail, an outsider could access some of the text. The bug is specific, and likely only affects a fraction of macOS users: Hackers would need to access specific Apple system files from a victim who sent an encrypted message from Apple Mail through a macOS without FileVault encryption. Gendler classified the issue as an “inadvertent information exposure.”
The issue involves an Apple system file, snippets.db, that is storing text of emails without encryption (the files are meant to be protected with the S/MIME encryption protocol). Users do not need a private encryption key to access the files, and disabling Siri does not disable the vulnerability.
“This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected,” Gendler wrote. “Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.”
Apple is aware of the issue and said it intends to fix the problem in a forthcoming software update, according to the Verge. The vulnerability exists in four macOS versions, including Catalina, the current version of the software.
Gendler noted that he first notified Apple about the problem on July 29 and, while he said the company has acknowledged the report, a timeline for a patch is still not public.
“For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me,” he wrote. “It brings up the question of what else is tracked and potentially improperly stored without you realizing it.”
In the meantime, Apple did tell Gendler how users can protect their messages before a patch is introduced. Remove Apple Mail from snippts.db by going to the System Preferences section in settings. Then follow the Siri to Siri Suggestions & Privacy to Mail, and disabled the “learn from this app” function.