Apple Hide My Email Vulnerability Leaks User Identities

Apple Hide My Email Vulnerability Leaks User Identities

Apple's Hide My Email service contains a vulnerability that exposes users' permanent email addresses

Apple's Hide My Email service, designed to protect iCloud+ users by acting as an intermediary between randomized aliases and real email addresses, has a vulnerability that allows attackers to uncover the hidden identity of the user. This flaw undermines the core privacy promise of the service, potentially exposing Apple IDs and legal names to third parties.

Timeline of Disclosure and Apple's Response

Researchers at EasyOptOuts discovered the vulnerability and reported it to Apple in June 2025. Despite multiple follow-ups and claims from Apple that the issue was resolved, the vulnerability persists as of June 30, 2026.

  • June 11, 2025: Initial discovery and report submitted to Apple. Apple confirmed the service is not intended to allow discovery of hidden addresses.
  • June 13–20, 2025: Detailed reproduction instructions and additional troubleshooting information provided to Apple.
  • July 9, 2025: A second, distinct vulnerability allowing address discovery was reported.
  • March 3, 2026: Apple claimed the vulnerabilities were fixed; however, researchers verified on March 19, 2026, that they remained active.
  • May 22, 2026: Researchers reported that the vulnerability's severity and scope were greater than initially believed. Apple did not acknowledge this specific report.
  • June 30, 2026: Apple again claimed the issues were fixed, but verification by researchers confirmed the vulnerability still exists.

To protect users, the specific technical details of the exploits have not been publicly disclosed until a fix is implemented.

Technical Analysis and Community Insights

While the exact exploit remains private, technical discussions among the community suggest several potential vectors for email leakage and privacy failures within the iCloud infrastructure.

Potential Leakage Vectors

Some users speculate that the leak could occur via mail undeliverable errors or specific SMTP protocol behaviors. One theory suggests that sending an email with an excessively large attachment to a Hide My Email address could trigger a rejection response from the user's real email server, thereby revealing the destination address.

DMARC and Header Leaks

Users utilizing personal domains for forwarding have identified a specific privacy leak involving DMARC records. When replying to an email via iCloud SMTP servers, iCloud may insert a diagnostic header (X-DMARC-Info) that reveals the user's actual domain (e.g., pdomain=example.org). This allows the recipient to determine the domain of the hidden email address, even if the full address remains obscured.

Impact on Apple ID Security

Community members have noted that the exposure of a "real email" is particularly severe because the address is often the user's Apple ID. Since the Apple ID serves as the primary gateway to a user's digital ecosystem, its exposure increases the risk of targeted attacks and identity correlation.

Summary of Risks

Users of Hide My Email should be aware that the service may not provide total anonymity. The risk is particularly high for those who:

  1. Forward Hide My Email aliases to personal domains rather than @icloud.com addresses.
  2. Use their primary Apple ID as the destination for these aliases.
  3. Communicate with parties they specifically intend to remain anonymous from.

Sources