An unusual oversight in how OS X’s Spotlight feature handles privacy settings in Apple Mail leaves the door open to spammers, phishers and online tracking companies who can obtain private data such as your IP address, current operating system version, browser details and more, whenever an email message is previewed in Spotlight.
Firstdiscoveredby German technology news site Heise, the bug takes advantage of a common information harvesting technique and a Mail setting which determines whether or not the program loads remote content in emails.
However, spammers and marketeers commonly use a technique called tracking pixels, which uses a link to a one-pixel-square GIF file that, when loaded, tells the server that you’ve received and opened the email. In turn, the server flags your email address as “alive” and from than point onward, you’ll receive even more unsolicited messages.
“What’s more, Spotlight also loads those files when it shows previews of unopened emails that landed directly in the junk folder,” notes Heise.
The only way to mitigate this is to exclude Mail from your Spotlight search by unticking the Mail & Messages box inSystem Preferences > Spotlight, as shown above. You will of course lose some functionality because your emails will no longer pop up in Spotlight searches, but at least you’ll be on the safe side.
I’m sure Apple will address this in the next OS update now that the glitch has been publicized.
Also worth mentioning, this glitch doesn’t affect people like myself who use a third-party application such as Dropbox’s Mailbox, Google’s Sparrow or Mindsense’sMail Pilotas their daily email driver.
