Home Software Applications Apple’s Email Privacy Feature May Not Be as Private as You Think

Apple’s Email Privacy Feature May Not Be as Private as You Think

Representational image of icloud mail

This post is also available in: עברית (Hebrew)

Email masking services have become an increasingly popular way to protect online privacy. Rather than providing a personal email address to every website or application, users receive a randomly generated alias that forwards messages to their real inbox. If the alias begins receiving spam or is compromised, it can simply be disabled without affecting the user’s primary address.

One widely used implementation of this concept is Apple’s “Hide My Email” feature. However, a security researcher now claims that the privacy mechanism contains a vulnerability that could allow an attacker to discover the real email address it is intended to protect.

According to Cyber News, the issue has remained unresolved despite being reported to the company more than a year ago.

The feature works by creating unique forwarding addresses for each website or service. Instead of exposing the user’s actual inbox, those aliases receive incoming messages and automatically forward them to the underlying account, helping reduce tracking, spam, and unwanted disclosure of personal contact information.

The newly reported vulnerability allegedly allows hidden email addresses to be uncovered under certain circumstances. Although the researcher has not publicly disclosed the technical details, citing responsible disclosure concerns, an independent report states that the issue was verified while avoiding publication of information that could facilitate abuse.

The researcher first notified the company in June 2025. According to the published timeline, the company later indicated that the issue had been addressed through system changes introduced in March 2026. However, subsequent testing reportedly showed that the vulnerability remained.

The company continued investigating the report and requested that details remain confidential while work on a future security update continued. At the time of publication, no public fix had yet been confirmed.

Another development could affect the service’s usability. The company has previously announced plans to consolidate the feature’s addresses under a single @private.icloud.com domain. While intended to simplify the system, some observers have raised concerns that websites may reject addresses using the new domain, potentially reducing the feature’s practical value.

From a cybersecurity and privacy perspective, email masking services play an important role in limiting exposure of personal information. Protecting users’ real email addresses helps reduce phishing risks, spam campaigns, identity correlation, and targeted social engineering attacks.

The reported vulnerability serves as a reminder that privacy-enhancing technologies require continuous security review. Even features specifically designed to conceal sensitive information must be rigorously tested to ensure they continue delivering the protection users expect.