Apple’s OS X is a delightful operating system, but glitches (trivial or huge) can cripple even the most sophisticated environments around. A glitch in the spotlight search in OS X Yosemite has been discovered that may expose your private data to hackers.
The ‘potential’ risk may occur when you use the spotlight search, which indexes the mails (Apple’s mail app). The spotlight search shows previews of mails and by doing this, it automatically opens external links in the HTML email.
The preview loads these files even when users have disabled the “load remote content in messages” option in the Mail app, that may let the senders know of the reception of their mails and if you’ve read it. If this wasn’t enough, the spotlight search loads the content from the junk folder too.
Opening these external links can reveal your private information to the senders. Senders often use ‘tracking pixels’, usually a link to a one-pixel-square GIF file, in their mails that sends the information back to them that the email has been opened and the image is then loaded. Email marketeers use these images a lot to gather data. This can reveal your IP address to spammers, phishers and companies that track online data.
The potential privacy issue was first reported by German tech news site Heise, and has been replicated by the IDG News Service. They have sent several mails with tracking pixels to the Apple Mail. And as expected, the spotlight search loaded the unopened mails which revealed the receiver’s IP address, current OS version and some browser details to the host server.
Your IP address can reveal your location ( though the accuracy can be questionable). But even the slightest information about your system can harm you.
For the moment, you need to uncheck the “mail & messages” box for Spotlight in System Preferences to be on the safer side. No mails will be returned in the spotlight search and hence no previews will be shown.
We’ve contacted Apple for the issue and will update you once we get a reply.