Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

There's a vulnerability in the macOS version of the Apple Mail app that leaves some of the text of encrypted emails unencrypted, according to a report from IT specialist Bob Gendler (via The Verge).

According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

In this email, Gendler demonstrates that the private key has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.

Gendler initially discovered the bug on July 29 and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina and earlier versions of macOS dating back to macOS Sierra.
Let me say that again... The snippets.db database is storing encrypted Apple Mail messages...completely, totally, fully -- UNENCRYPTED -- readable, even with ‌Siri‌ disabled, without requiring the private key. Most would assume that disabling ‌Siri‌ would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.
Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, and provided Gendler with instructions on preventing data from being stored by the snippets database.

This issue affects a limited number of people in practice, and is not something that macOS users should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It does not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple's system files to look and have physical access to a machine.

Still, as Gendler points out, this particular vulnerability "brings up the question of what else is tracked and potentially improperly stored without you realizing it."

Those concerned about this issue can prevent data from being collected in the snippets.db database by opening up System Preferences, choosing the ‌Siri‌ section, selecting ‌Siri‌ Suggestions & Privacy, choosing Mail and then turning off "Learn from this App." This will stop new emails from being added to snippets.db but won't remove those that have already been included.

Apple told The Verge that customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in ‌macOS Catalina‌. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability can be read in Gendler's Medium article.

Tag: Mail

This article, "Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable" first appeared on MacRumors.com

Discuss this article in our forums

PSA: Apple Mail Bugs Can Lead to Data Loss in macOS Catalina

Michael Tsai, the developer of EagleFiler and the SpamSieve plug-in for Apple Mail on Mac, has written a blog post warning macOS users about potential data loss in Mail when upgrading to macOS Catalina 10.15.0 (build 19A583).

According to Tsai, he's heard from several users that updating Mail's data store from Mojave to Catalina sometimes says that it has succeeded, when in fact on closer inspection it turns out that large numbers of messages are incomplete or missing entirely.

In addition, users have reported the loss of message content when moving emails between mailboxes. From Tsai's post:
Moving messages between mailboxes, both via drag-and-drop and AppleScript, can result in a blank message (only headers) on the Mac. If the message was moved to a server mailbox, other devices see the message as deleted. And eventually this syncs back to the first Mac, where the message disappears as well.
Tsai warns that these issues are particularly pernicious because users may not realize anything's wrong unless they look at affected messages or mailboxes. Since the data is synced to the server, these problems can also propagate to other computers and devices, and relying on backups is difficult because Mail data is continually changing and there's no easy way to merge restored data with messages received since the last backup.

Despite the latter risk, it's still good practice to make backups, but Tsai notes that Apple Support appears to be erroneously advising users that lost Mail data in Catalina can't be recovered from a Time Machine backup made using macOS Mojave.

According to Tsai, this is not the case: Apple Mail's File -> Import Mailboxes... menu bar option can be used to selectively import them into Mail in Catalina as new local mailboxes.

Tsai says he's unsure whether these issues are due to Mail bugs or to other factors such as problems on the Mac or with the mail server. Apple released ‌macOS Catalina‌ 10.15.1 beta to developers on Friday, but it's still unclear if this version resolves the Mail app bugs. Regardless, Tsai's advice to users who rely on Apple Mail is to "hold off on updating to Catalina for now."

Affected readers can find the full breakdown of the issues here. Have you had problems with Mail since updating to Catalina? Let us know in the comments below.

Related Roundup: macOS Catalina
Tag: Mail

This article, "PSA: Apple Mail Bugs Can Lead to Data Loss in macOS Catalina" first appeared on MacRumors.com

Discuss this article in our forums

How to Flag Emails Using Different Colors on iPhone and iPad

In iOS 13 and iPadOS 13, Apple's Mail app retains the swipe gestures of previous iOS versions that help you reduce the amount of time you spend managing messages in your inbox.

The basic inbox gestures still involve swiping right or left on an email to reveal tappable actions that you can perform instantly, without having to call up additional menus.

One of the default options that appear is the Flag action, which you might use to categorize a message that requests information needed by a certain date, for example.

Using only the swipe gesture, you'd be forgiven for thinking that the Mail app provides only one color to use when flagging emails, but iOS 13 actually introduces support for multicolor flags – it's just hidden away in the menu that appears when you hit the Reply button.

mail
Tap the Flag button there, and you'll reveal a submenu that allows you to choose one of seven colors, including the option to remove a flag. Note that whichever color you select here subsequently becomes the default color when you tap the Flag action or the More -> Mark... option via the inbox swipe gesture.

Did you know that you can customize the actions that appear when you use the Mail app's inbox gestures? Click here to learn how.

Related Roundups: iOS 13, iPadOS
Tag: Mail

This article, "How to Flag Emails Using Different Colors on iPhone and iPad" first appeared on MacRumors.com

Discuss this article in our forums

How to Set Up Mail VIP Contacts in macOS, iOS 11, and iCloud Mail

In Apple Mail, finding email messages from certain contacts can be made easier by giving them a "VIP" status. Short for Very Important Person, VIPs are identified in your inbox by a star next to the person's name in any messages you receive from them. Messages from the same VIP are also displayed in their own folder in a special VIP smart mailbox that sits in Apple Mail's Favorites bar.

You can assign up to 100 VIPs, and if you use iCloud Contacts, your VIPs are available on any other Apple devices signed in to the same account. Moreover, you can choose to be notified of emails only when the messages are from people in your VIPs list, thanks to Apple Mail's custom alerts feature. Keep reading to learn how to set up VIPs on macOS, iOS 11 (including Apple Watch), and iCloud Mail.
Continue reading "How to Set Up Mail VIP Contacts in macOS, iOS 11, and iCloud Mail"