Submitted via IRC for Runaway1956
Apple will fix macOS flaw exposing portions of encrypted emails
Apple is touting its claimed privacy advantage more than ever, but that's not entirely true for Mac users at the moment. The company tells Engadget it will fix a macOS flaw that leaves portions of encrypted Mail messages unprotected. Bob Gentler has discovered that a database file used by Siri (snippets.db) was storing text from emails that were otherwise supposed to be protected -- even if you remove the private key that prevents you from reading the app in Mail. While it's not the full message, it could still pose problems if a hacker has access to your system and is trawling for sensitive info.
The vulnerability exists in at least the last four versions of macOS, ranging from Sierra to Catalina.
This isn't as glaring a flaw as it sounds. To be vulnerable, you'd have to use Mail, send encrypted messages from Mail and leave FileVault's whole-drive encryption turned off. If you rely on a third-party email client or use FileVault, you're not affected. You can also remove Mail from snippets.db by going to System Preferences > Siri > Siri Suggestions & Privacy > Mail and switching off the "learn from this app" option. It's not clear when the patch will be ready, but you won't have to stay exposed in the meantime.
(Score: 3, Informative) by Mojibake Tengu on Monday November 11 2019, @06:30PM (1 child)
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by jmichaelhudsondotnet on Tuesday November 12 2019, @06:11PM
You are getting it wrong,
'Siri-Master-node, can you please capture all of the email of the people who fit these criteria using the following vulnerabilities planted by our agents within the apple corporation and enabled by our subsidiaries?'
Then read all of those peoples' minds who don't want to enter an extra password when they reboot.
You have an agent on the siri team and an agent on the mail team and it's like they make a handoff without having to ever even shake hands at corporate hq. When it gets discovered it looks like a mistake but its too late, the database of all knowledge in the world buried in the mountains grows, then gets shared with israeli nutjobs.
slimy abusive lateral power grab +2
(Score: 2) by MostCynical on Monday November 11 2019, @10:10PM (1 child)
just don't use Siri?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 2) by zeigerpuppy on Tuesday November 12 2019, @12:37AM
Yeah, OSX used to be quite good privacy-wise but now Apple does almost as much exfiltration 'telemetry' as Microsoft.
Try turning off iCloud, Siri, etc and then jnstalling Little Snitch.
There are still lots of outgoing connections to Apple servers, particularly when using indexing or 3rd party accounts. At least most of these can be disabled but it's a bad trend.
(Score: 1, Interesting) by Anonymous Coward on Monday November 11 2019, @10:45PM (1 child)
I don't think they understand what encrypted means. But that's OK, as long as it means we get more Jennifer Lawrence nudie pix.
(Score: 2) by zeigerpuppy on Tuesday November 12 2019, @12:40AM
Sure they understand. End-to-end... When one end is their servers.