frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Apple 'Hide My Email' vulnerability reveals peoples' real email addresses

https://easyoptouts.com/guides/apple-hide-my-email-is-leaking-email-addresses
125•sashk•8h ago
https://www.404media.co/apple-hide-my-email-vulnerability-re..., https://archive.vn/mCbBw

Comments

tjames7000•3h ago
We put up a timeline of the disclosure here: https://easyoptouts.com/guides/apple-hide-my-email-is-leakin...
dang•1h ago
Thanks! We'll make that the main URL and put the submitted link in the toptext.
lode•3h ago
archive link: https://archive.vn/mCbBw
FabHK•1h ago
That's disappointing, both that the vulnerability exists in the first place, and that Apple takes over a year to not even fix it.
rubatuga•1h ago
Is it based on mail undeliverable errors? Or attempts to login using IMAP or SMTP with it? Or is it exposed during the SMTP protocol?
hunter2_•1h ago
As someone who doesn't rely on this feature, I'd love to know now as well, but perhaps the etiquette in public would be to align ourselves with:

> we will not discuss or disclose the details of the exploits until they're fixed.

But if there's a public forum where the cat's already out of the bag, then game on. Perhaps this:

https://www.reddit.com/r/apple/comments/1ukilw1/apple_hide_m...

Dibby053•59m ago
My guess would be it has nothing to do with email itself. Maybe it's some iCloud API that accepts obfuscated emails but returns the original email in the response, or an ID which can be used to retrieve the iCloud email from another API endpoint. Could be as simple as an "add contact/friend" feature in some Apple product (like a mail client, or a file sharing service) that resolves the obfuscated email to the original iCloud account.
fsuts•1h ago
I think you should formally write to Apple and give notice of 30 days to contact you or you will reveal it.

Send it to the USA media and regulator too

tjames7000•29m ago
I've been going back and forth with Apple about it for a year. We don't feel comfortable releasing the exploit details even though they're being slow. We think enough people rely on Hide My Email for personal safety that it would be irresponsible.
chrisjj•4m ago
[delayed]
jijijijij•52m ago
I think "real email" address is underselling it, since that's commonly the apple-ID, which is the gateway to some people's whole digital existence. Not to mention the fact, you tend to use hidemyemail in particular for services you don't want any identity leaked to. The "real email" may contain your legal name already.
alwa•33m ago
It’s hard for me to assess how real this risk is. Without details, we’re just extrapolating from circumstantial vibes.

What’s described sounds like it might be spooky. It might also be a magic trick to some degree… Mr. Cox’s PoC—“I gave a fresh Hide-My-Email alias to a guy who knows who I am, and he told me the email on my Apple ID”—is consistent with the claimed behavior but not exactly watertight.

It also sounds like it might be the sort of thing that’s either “just how the email ecosystem works” or mitigable by covert means. For example, if Apple can identify exploit attempts from its privileged vantage over its infrastructure, maybe that’s the basis for its relaxed impact assessment.

I’m reminded of Amazon’s risk assessment with respect to some Quick bug recently [0]: “yeah, it’s bad, but we checked and there are literally zero people other than you who’ve ever used that feature that way.”

Or maybe it’s the kind of thing that requires a structural sort of tradeoff to conclusively fix. I could imagine the exposure mechanism having something to do with their forthcoming move to segregate aliases to their own “private.icloud.com” domain.

(A move at which Mr. Cox swipes in the 404 Media article, too, of course, but hey—“impact journalism.”)

And then, since we have only vibes to go on, there’s the judgment reflected in the researcher’s email to Apple:

> “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.

I can only hope that was a sardonic moment of frustration quoted out of context… Hide My Email is “sold” as a tiny tiny bonus feature of a much bigger iCloud+ product. But as-quoted, it’s giving a little bit of Chicken Little… I’m reminded of the time somebody demanded that a firm I’m familiar with halt all sales (and pay hush money) because of a CRITICAL SECURITY HOLE: you could access the contents of a password field by typing the password in the field, pressing F12 in the browser, and typing $(“#pw-input”).value …

If the flaw really is the sort of thing that required fundamental product changes to fully address—like this domain segregation thing—a year doesn’t seem wild at all to make that transition safely and at scale. Especially if they identified effective mitigations in the meantime.

Then again, maybe they really are negligent…

[0] https://www.theregister.com/columnists/2026/05/13/aws-patche...

mike-cardwell•27m ago
That timeline was exactly my experience with Apple here - https://www.grepular.com/Apples_Protect_Mail_Activity_Doesnt...

They don't seem to know or care what is going on with their own email systems.

lapcat•4m ago
Has anyone seen Protect Mail Activity get re-enabled after you've disabled it? I wrote about that a few days ago: https://lapcatsoftware.com/articles/2026/6/6.html
risyachka•23m ago
Shameless plug

https://github.com/webmonch/hide-my-mail-cloudflare

kittikitti•8m ago
I use this feature often and I'm very disappointed. Depending on the exploit, I'm awaiting to join a class action lawsuit. I'm constantly humiliated by believing Big Tech's security promises and I've had enough. I suspect that this is yet another intentional backdoor. When these security systems fail, people like me experience violence.
tjames7000•7m ago
> > “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.

> I can only hope that was a sardonic moment of frustration quoted out of context

I didn't make my point clearly there, and I think it makes more sense in context, but it was a sincere suggestion that Apple could stop allowing new people to use Hide My Email. There are many other email aliasing services, so they wouldn't be depriving people of a unique offering. At the time, I wasn't aware that Hide My Email was only available as part of iCloud+. All I knew was that it wasn't free.

For first time, a cell built from scratch grows and divides

https://www.quantamagazine.org/for-the-first-time-a-cell-built-from-scratch-grows-and-divides-202...
429•defrost•4h ago•138 comments

What to Learn to Be a Graphics Programmer

https://blog.demofox.org/2026/07/01/what-to-learn-to-be-a-graphics-programmer/
22•atan2•38m ago•2 comments

Physical disc production ending in Jan 2028 for new games on PlayStation

https://blog.playstation.com/2026/07/01/physical-disc-production-ending-in-january-2028-for-new-g...
327•Tiberium•6h ago•411 comments

FFmpeg 9.1's new AAC encoder

https://hydrogenaudio.org/index.php/topic,129691.0.html
91•ledoge•4h ago•44 comments

How We Made IPFS Content Publishing 10x Faster

https://probelab.io/blog/optimistic-provide/
73•dennis-tra•3h ago•20 comments

Box3D, an open source 3D physics engine

https://box2d.org/posts/2026/06/announcing-box3d/
267•makepanic•6h ago•53 comments

Ask HN: Who is hiring? (July 2026)

79•whoishiring•3h ago•89 comments

Monetization Gateway

https://blog.cloudflare.com/monetization-gateway/
140•soheilpro•4h ago•73 comments

Internal Combustion Engine

https://ciechanow.ski/internal-combustion-engine/
145•StefanBatory•5h ago•22 comments

Building Gin: Simple over Easy

https://manualmeida.dev/articles/gin-simple-over-easy/
12•manucorporat•46m ago•4 comments

Ask HN: Who wants to be hired? (July 2026)

56•whoishiring•3h ago•125 comments

Hanami 3.0: In Full Bloom

https://hanakai.org/blog/2026/06/30/hanami-3-0-in-full-bloom
12•PuercoPop•50m ago•1 comments

Launch HN: Parsewise (YC P25) – Reason Across Documents with an API

34•gergelycsegzi•4h ago•30 comments

Reduce GVisor Cold Starts with GPU Snapshotting

https://cerebrium.ai/blog/reducing-gpu-cold-starts-with-memory-snapshots-restoring-cuda-workloads...
33•jono_irwin•2h ago•11 comments

Sony Deletes 551 Movies PlayStation Owners Paid For

https://reclaimthenet.org/sony-deletes-551-studiocanal-movies-playstation-owners-paid-for
276•bilsbie•4h ago•137 comments

Manufact (YC S25) Is Hiring a Developer Advocate in SF

https://www.ycombinator.com/companies/manufact/jobs/4cyWd6S-developer-advocate-partnerships-devrel
1•luigipederzani•5h ago

Fixing a kubelet memory leak in Kubernetes 1.36

https://heyoncall.com/blog/fixing-kubernetes-kubelet-memory-leak
38•compumike•16h ago•8 comments

My OSCP Pentesting Cheatsheet

https://hackerask.com/posts/pentesting-cheatsheet/
15•HackerAsk•41m ago•2 comments

Show HN: Pglayers – PostgreSQL extensions as stackable Docker layers

https://github.com/pglayers/pglayers
16•iemejia•1h ago•2 comments

Asahi Linux 7.1 Progress Report

https://asahilinux.org/2026/06/progress-report-7-1/
461•pantalaimon•8h ago•157 comments

1-Bit Pixel Art Emojis

https://hypertalking.com/2023/05/15/1-bit-pixel-art-emojis/
72•surprisetalk•6d ago•10 comments

Red Programming Language: Static linking support

https://www.red-lang.org/2026/06/static-linking-support.html
57•em-bee•1d ago•10 comments

Newly discovered spider builds spring loaded snare to catch ants

https://phys.org/news/2026-06-newly-australian-ballista-spider-snare.html
214•chimpanzee•2d ago•47 comments

Nintendo has raised its employees base salary by 10%

https://mynintendonews.com/2026/06/26/nintendo-has-raised-its-employees-base-salary-by-10/
417•_tk_•6h ago•236 comments

Apple 'Hide My Email' vulnerability reveals peoples' real email addresses

https://easyoptouts.com/guides/apple-hide-my-email-is-leaking-email-addresses
125•sashk•8h ago•16 comments

Ray Tracer in SQL

https://github.com/ClickHouse/RayTracer
35•kbumsik•4h ago•8 comments

Show HN: LIBR tracing with source ledger rows and byte-exact PDF verification

https://exitprotocols.com/engineering/libr-state-machine/
4•cd_mkdir•36m ago•1 comments

Are readers generating fiction with AI models?

https://arxiv.org/abs/2606.22748
8•ilamont•1h ago•10 comments

Show HN: Morph Reflexes – Multi-head classifiers for agent traces

11•bhaktatejas922•21h ago•1 comments

Department of Commerce has lifted export controls on Claude Fable 5 and Mythos 5

https://twitter.com/AnthropicAI/status/2072106151890809341
882•Pragmata•18h ago•595 comments