Spotlight search may expose private information to spammers

SecurityIconXTech site Ars Technica is reporting a new security issue with OS X, where spammers may be able to gain access to personal information through the use of Spotlight search.

The problem, as outlined by German security publication Heise Online and IDG News, allows IP addresses and perhaps other private information to be viewed through the use of Spotlight searches, stemming from a security feature to prevent the loading of unwanted images in e-mail communications.

One of the ways spammers attack and attempt to track victims is by the use of embedded images in e-mails which load from remote servers. When done, your IP information and behaviors around this IP are logged and used in attempts to further spam you and track your actions. To combat this, e-mail clients like Mail, Outlook, and Thunderbird contain options to prevent the loading of remote images. In Mail this is available in the Viewing section of Mail’s preferences; however, regardless of whether or not this is disabled as recommended for security purposes, it appears Spotlight will still open the image when searched for.

Overall, while this behavior circumvents a specific security setting, it is not a major concern for security. At most, random searches by you on your Mac may show an e-mail message as a search result, which you might click to load the content. By doing this, OS X will not install anything or compromise your personal data, but may load images from a remote server that will be able to track this behavior. Nevertheless, it is something that hopefully Apple will tackle in an update, and in the mean time, if you are concerned then simply do not use Spotlight to search for e-mail messages.

To prevent Spotlight from searching for such messages, go to the Spotlight system preferences and then uncheck “Mail & Messages” in the Search Results listing. You can also go to your user library (hold the Option key and choose Library from the Go menu) and then add the Mail and Mail Downloads folders to the Spotlight Privacy list (the second tab in the Spotlight system preferences). These steps are likely overkill, but are one way to avoid this bug.

Mail & Messages Spotlight settings

Uncheck this option to prevent Mail messages from loading in Spotlight.

3 thoughts on “Spotlight search may expose private information to spammers

  1. B. Jefferson Le Blanc

    Thanks for the tip. I already had Mail and Messages disabled, to prevent clutter in Spotlight searches. If I need to search Mail, I’ll use Mail.

      1. Topher Kessler Post author

        Spotlight will still index the files, but just not make them available during Spotlight searches. As a result, you should still be able to search for them within Mail, but not have them show when you use the systemwide Spotlight search. To eliminate this, you can add the Mail folders to Spotlight’s privacy list, and this will prevent Mail from being able to search the files.

Comments are closed.