Apple’s ‘Hide My Email’ reportedly exposing real email addresses

Apple Mail on iPhone with Apple logo in background
(Image credit: Shutterstock)

Back when it was first revealed alongside iCloud Plus, Apple’s Hide My Email always seemed like magic as anyone could use it to avoid handing out their ‘real’ email address. However, a newly disclosed vulnerability just revealed that this privacy feature isn’t so private after all, leaving a way for attackers to completely uncover your actual email address.

For those unfamiliar, Hide My Email is one of the built-in perks that comes with a paid iCloud account. Once enabled, it masks your primary email address and replaces it with a randomly generated one that ends in @icloud.com. From there, Apple makes it easy to view any emails sent to that random address as they’re automatically forwarded to your main email address.

Think of Hide My Email as a fast-tracked way to get a burner email address from one of the biggest names in tech. And the best part, you don’t need one of the best iPhones to use this feature since even Android and Windows users can sign up for iCloud Plus.

From signing up for newsletters to free trials, Hide My Email can be an incredibly useful feature, especially for those times when you don’t want to use your work or personal email to avoid ending up with loads of spam in your inbox.

Personally, I always thought it seemed too good to be true and according to a new report from 404 Media, that just might be the case. Here’s everything you need to know about this new Hide My Email vulnerability along with some alternatives you might want to try out in the meantime until Apple finally rolls out a real patch for this major flaw.

Not your standard disclosure

how to unsend an email in iOS 16 mail

(Image credit: Tom's Guide)

Normally with high-profile vulnerabilities, security researchers discover them and then inform the company in question about their findings. Once this is done, they usually give companies a 90-day window to verify the bug, patch it, and test that their fix actually works. Sometimes though, companies might ask for an extension if they’re dealing with a difficult-to-patch, high-severity vulnerability.

According to 404 Media’s reporting, security researcher Tyler Murphy went above and beyond when reporting the Hide My Email vulnerability to Apple back in June of last year. Instead of 90 days, he reported the issue and showed how to replicate it to Apple over a year ago. After waiting all that time, Murphy has finally come out and disclosed the vulnerability to 404 Media.

It’s worth noting though that neither Murphy nor 404 Media have revealed the exact details of this major vulnerability. Apparently though, it’s still exploitable as the news outlet independently verified the flaw this week, uncovering their own reporter's real address using a hidden email alias.

After reporting the issue to Apple, the company told Murphy that it was looking into the vulnerability. From there, Cupertino said that it was fixed back in March of this year. However, during his follow-up investigation, Murphy discovered that it was still exploitable. He then contacted Apple about the vulnerability again, and Apple effectively begged him not to go public, stating they would "appreciate" him keeping quiet until an actual fix rolls out.

As it stands now, Hide My Email can reveal your real email address since a patch that actually fixes this bug hasn’t been released yet.

Hide My Email alternatives you can try right now

DuckDuckGo logo on phone

(Image credit: Shutterstock)

Given this is a major vulnerability that completely undermines Apple’s privacy-first focus, I guarantee that if the company wasn’t actively working on a fix, it absolutely is now. However, since your real email address could have been exposed as a result of this bug, you might be considering other alternatives.

Another reason you might want to ditch Hide My Email is due to an upcoming change Apple recently announced in a blog post. Instead of just providing you with a random email address ending in @icloud.com, going forward, all of your new burner email addresses will end with the dedicated @private.icloud.com subdomain. This might seem like a small change, but it’s actually quite a significant one. By switching to a unified, obvious subdomain, the very websites on which you previously used Hide My Email could soon start blocking your burner addresses automatically because they are so easy to identify. If you want to get ahead of that change, here are some alternatives worth considering.

Proton is well-known for its privacy-first tools, and just like Apple, it also has an email forwarding service called SimpleLogin. It’s considered one of the best alternatives to Hide My Email overall, and along with dedicated iOS and Android apps, it also works seamlessly in any web browser. Another cool feature is that you can instantly toggle your email aliases off with a single tap.

Another alternative worth considering is DuckDuckGo’s Email Protection. The privacy-focused search engine’s email alias service is both completely free and very lightweight. It’s built into both its browser extensions and mobile apps and generates a @duck.com email alias. Besides hiding your real email address, this alternative also strips out hidden ad trackers before forwarding replies from your email alias right to your real inbox.

Finally, there’s Mozilla’s Firefox Relay. It provides you with email aliases via a simple browser extension and has a user-friendly dashboard that lets you manage, mask, and delete your email aliases very easily.

Apple’s Hide My Email made email aliases mainstream and has been a godsend for many iCloud users. However, given this recent vulnerability and its potential fallout, no one would blame you for giving a similar service a try.


Google News

Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds.


More from Tom's Guide

TOPICS
Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.