Connect with us

Mobile Tech

Exposed: Apple Hide My Email Flaw Reveals True Email Addresses

Published

on

iOS 15 iCloud Hide My Email on iPad

Researchers have discovered a potentially serious flaw in Apple’s “Hide My Email” that could reveal the real email addresses hidden behind the privacy shield.

While the details of the flaw haven’t been disclosed since the vulnerability still exists, the folks at 404 Media have confirmed its existence and were able to successfully exploit it in every one of their test cases.

To make matters worse, this issue — and the specific details on how it could be replicated — was reported to Apple over a year ago, and still hasn’t been fixed, according to Tyler Murphy, the co-founder of EasyOptOuts, which first discovered the flaw and filed the report with Apple.

Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.

Tyler Murphy, EasyOptOuts

Apple introduced Hide My Email in 2021 as part of its iOS 15 update, although it’s predominantly a back-end iCloud service. While all iCloud users were able to set it up during the beta period, it ultimately requires a paid iCloud+ subscription — although any pricing tier is eligible.

As the name implies, Hide My Email obscures your real email address by generating a random one that can be handed out instead. Messages sent to that address are automatically forwarded to your real email address, and if you’re an iCloud user, it will even be automatically used for replies.

At least that’s how it’s supposed to work. Even before this flaw was brought to light, there were several scenarios where your real email address could slip out if you weren’t careful. Chief among these was replying to an email sent to a Hide My Email address from an email client that didn’t know it was supposed to be using that as the “From” address. This could even happen with some built-in iOS services outside of the Mail app.

See also  Unlocking the Benefits: A Guide to Apple App Store 12-Month Commitment Subscriptions

Further, while Hide My Email doesn’t require users to be iCloud users — hidden addresses can be forwarded to any other email address, from Gmail to your local ISP mailbox, all bets are off if you’re replying from one of those services. Unless you jump through hoops to explicitly set up your hidden email address as an alternate sender, your real email address is guaranteed to be exposed if your reply to a message from any service other than iCloud.

Lastly, it should go without saying that Hide My Email won’t protect you from law enforcement, as one bright spark discovered when he thought he could use Apple’s anonymity to send email threats to the FBI director’s girlfriend. Needless to say, the FBI handed Apple a court order, and Apple gave up the identity of the iCloud user — as it’s required to do by law.

Still, it’s fair to say that most folks using Hide My Email probably aren’t doing so for nefarious purposes, and probably aren’t even engaging in two-way communications with those addresses. Hide My Email is mostly a handy way to sign up for things online or fill in web forms when you’d rather not disclose your real address. After it’s used for a single confirmation code or receipt, many folks forget the address ever existed.

Is Hide My Email Still Private?

As someone who has worked with email technologies since nearly the dawn of the internet, I can think of several ways that Hide My Email addresses could be exposed. However, the most obvious ways generally involve the scenarios I already mentioned above: replies to messages sent to your Hide My Email address that could easily contain your real address, whether in the From line or buried within the email headers.

See also  Enjoy MLS Matches on Apple TV with No Additional Fees

However, what’s much more concerning about this week’s report is that it doesn’t sound like any such interactions are necessary for the real address to leak. When 404 Media’s Joseph Cox tested it, he had to do nothing more than provide the address for Murphy to come back with the real one.

To test the issue I generated a new Hide My Email address and provided it to Murphy. Around five minutes later, he replied with my real email address linked to my Apple account which was supposed to be hidden.

Joseph Cox

There’s no mention of email exchanges using the Hide My Email address, or any other interactions on the part of the owner. The implication is that Murphy was able to take nothing more than the string of characters that make up an obscured Hide My Email address and use that to get Apple’s systems to disclose the real address.

Murphy ultimately went public with this issue because he feels that Apple has had more than enough time to address it, and now users should be warned. Apple reportedly acknowledged the issue in July 2025, and then claimed it had addressed it in March 2026. However, after Murphy demonstrated that it had not been fixed, he provided more information to Apple, which thanked him for his assistance but asked him not to disclose it.

We are still investigating this issue. To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products.

Apple’s response to Tyler Murphy

See also  Previewing the Next Level: Apple Unveils iOS 26.4 RC for iPhone with Exciting New Features

Murphy wrote back to Apple suggesting that it should consider “ending new sales of Hide My Email until the problem is fixed,” to limit the risk to its customers.

In late May, Apple acknowledged an issue with its security and promised to address it in a future update within the next few weeks. However, after delays from the company, Murphy took matters into his own hands and reached out to 404 Media with the details. He mentioned that he had given Apple a year to fix the problem and was no longer comfortable waiting.

It is interesting to note that Apple quietly revealed a change in its Hide My Email address strategy during WWDC. They announced that these addresses would now be hosted at @private.icloud.com instead of @icloud.com. This change raised concerns about the potential for sites to easily block these addresses since they are now identifiable by their own subdomain. However, it is unclear if this shift was influenced by Murphy’s report. It is hard to see how changing to a subdomain would solve the issue based on email technologies.

So, what does this all mean? Hide My Email is still a useful tool for maintaining casual privacy and avoiding having your real email address exposed in databases or to spambots. However, the vulnerability discovered by researchers suggests that caution should be exercised when using it in situations where you absolutely do not want your actual email address to be revealed. Apple has indirectly acknowledged that this is currently a real risk.

In conclusion, while Hide My Email can still be used for basic privacy protection, it may not be foolproof in preventing the disclosure of your real email address. It is essential to be mindful of the potential risks and limitations of this feature.

Trending