Spotlight Search Glitch in OS X Yosemite Exposes Private Data

German tech news site Heise uncovered a new OS X Yosemite privacy issue that reveals private details of Apple Mail users, such as IP addresses and other system information, which could be particularly interesting to hackers. The glitch has been replicated by IDG News Service.

The issue involves the new Spotlight: although it is a very useful tool, its preview feature loads previews of emails, and when it does this, it automatically loads external images linked in HTML emails.

Although this wouldn’t raise a red flag for some users, the aforementioned action — loading external files — can harm the Mac user as it discloses the IP address, current OS version, and some details about the browser and version of Quick Look being used.

This becomes somewhat scary in light of the practice email marketers use: their emails usually include a so-called tracking pixel (a one-pixel-square GIF file), which sends the information back to the sender when the email is opened. Now, if you open the email a hacker has sent to you or just use the search feature of Spotlight, it will also contain the above data.

The only workaround for this privacy issue is to disable “Mail & Messages” for Spotlight in System Preferences. In case you are using Apple Mail (like I do), this action is highly recommended.