Vulnerability allows reading encrypted Apple Mail letters on macOS
Back in July of this year, information security specialist Bob Gendler, specializing in Apple device issues, discovered that Apple Mail on macOS stores encrypted messages in clear text in the snippets.db database. In fact, this vulnerability allows reading encrypted Apple Mail letters on macOS.
As Gendler explains on his blog, the problem is due to the Siri function, which allows the voice assistant to provide information for communication at the request of the owner. Siri uses the suggested process to collect contact information from various applications. Everything that the assistant finds is stored in the snippets.db file, in case the user ever needs the information.Read also: China declared a real war on DDoS services
Gendler found that even if the user configured Apple Mail to send and receive encrypted correspondence, Siri would still collect unencrypted versions of the letters and save parts of them in the database. The problem manifests itself in all versions of macOS from Sierra to Catalina.
“This is a serious problem for governments, corporations, and ordinary people who use encrypted email and expect their content to be protected. Because of this database and the process, secret and top-secret information transmitted in encrypted form can be disclosed, just like commercial secrets and confidential data”, – the researcher writes.
Although Apple had more than 90 days to fix the problem, there are still no patches, although the company has already informed the media that it intends to fix the vulnerability soon.
“Apple tells that it is aware of the issue and says it will address it in a future software update. The company also says that only portions of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they’re explicitly supposed to be encrypted, obviously isn’t good”, — writes The Verge magazine.
In the meantime, Gendler explains that simply disabling Siri will not help, instead users need to prevent the assistant from viewing encrypted messages from Apple Mail.
User Review
( votes)( reviews)
One Comment