Tech site Ars Technica is reporting a new security issue with OS X, where spammers may be able to gain access to personal information through the use of Spotlight search.
The problem, as outlined by German security publication Heise Online and IDG News, allows IP addresses and perhaps other private information to be viewed through the use of Spotlight searches, stemming from a security feature to prevent the loading of unwanted images in e-mail communications.
One of the ways spammers attack and attempt to track victims is by the use of embedded images in e-mails which load from remote servers. When done, your IP information and behaviors around this IP are logged and used in attempts to further spam you and track your actions. To combat this, e-mail clients like Mail, Outlook, and Thunderbird contain options to prevent the loading of remote images. In Mail this is available in the Viewing section of Mail’s preferences; however, regardless of whether or not this is disabled as recommended for security purposes, it appears Spotlight will still open the image when searched for.
To prevent Spotlight from searching for such messages, go to the Spotlight system preferences and then uncheck “Mail & Messages” in the Search Results listing. You can also go to your user library (hold the Option key and choose Library from the Go menu) and then add the Mail and Mail Downloads folders to the Spotlight Privacy list (the second tab in the Spotlight system preferences). These steps are likely overkill, but are one way to avoid this bug.
Thanks for the tip. I already had Mail and Messages disabled, to prevent clutter in Spotlight searches. If I need to search Mail, I’ll use Mail.
Except that Mail also uses the Spotlight database for searches.
Spotlight will still index the files, but just not make them available during Spotlight searches. As a result, you should still be able to search for them within Mail, but not have them show when you use the systemwide Spotlight search. To eliminate this, you can add the Mail folders to Spotlight’s privacy list, and this will prevent Mail from being able to search the files.