There’s a vulnerability is the macOS version of the Apple Mail app that leaves some of the text encrypted email unencrypted, according to report from IT specialist Bob Gendler (via The Verge.)
According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disable on the Mac.
Gendler initially discovered the bug on July and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina. and earlier version of macOS dating back to macOS Sierra.
“Let me say that again…The snippets.db database is storing encrypted Apple Mail messages…Completely, totally fully — UNENCRYPTED–readable, even with Siri disable without requiring the private key. Most would assume that disabling Siri would stop macOS collecting information on the user. This is a big deal.
This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.
Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, provided Gendler with instructions on preventing data from being stored by the snippets database.
This issue affects a limited number of people in practice, and is not something that macOS user should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It doses not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple’s system flies to look and have physical access to a machine.
Still, as Gendler points out this particular vulnerability “Brings up the question of what else is tracked and potentially improperly stored without you realizing it.”
Those concerned about this issue can prevent data form being collected in the snippets.db database by opening up System Preference, choosing the Siri suggestions & Privacy, choosing Mail and then turning off “Learn from this app.” This will stop new emails from being added to snippets.db but won’t remove those have already included.
Apple Told the Verge that customers who want to avoid unencrypted snippets being ready by other app can avoid giving apps full disk access in macOS Catalina. Turing on FileValut will also encrypt everything on the Mac.
Full details on the vulnerability can be read in Gendler’s Medium Article.