Apple's Hide My Email feature, a tool designed to protect user privacy by generating random forwarding addresses, contains a flaw that can expose the real email addresses of iCloud+ subscribers, security researchers have discovered. The issue undermines the core purpose of the service, which is used by millions to shield their inboxes from spam and tracking.

What You Need to Know

Hide My Email is part of iCloud+ and lets users create unique email aliases that forward messages to their real inbox. The vulnerability allows third parties to infer the actual email address through metadata embedded in forwarded messages. This affects anyone using the feature for privacy, including those avoiding spam, marketing trackers, or identity exposure. Apple has not yet confirmed a fix timeline.

How the Leak Occurs

Researchers identified that the flaw stems from how forwarded emails carry original message headers. When a sender replies to a Hide My Email address, the response includes the user's real address in certain header fields. Email services and recipients can extract this information with simple tools. The exposure methods include:

  • Message headers: The real address appears in the "Reply-To" or "Return-Path" field when aliases are used.
  • Inline replies: If a user replies from an alias, the conversation thread can leak the original address in subsequent messages.
  • Third-party servers: Services that log email metadata may store and share the real address without user consent.

Apple designed Hide My Email to anonymize correspondence, but the feature relies on proper email routing that can expose data at multiple points.

Why This Matters

The flaw erodes trust in Apple's privacy-focused ecosystem, especially for users who rely on the service for anonymity in transactions or registrations. Real-world consequences include increased spam, targeted phishing attacks, and potential doxxing for journalists or activists. Apple positions privacy as a core value, and this vulnerability directly contradicts that promise. The company must now decide whether to redesign the feature or accept a partial privacy solution that leaves millions at risk. As iCloud+ competes with Google and Microsoft, such security lapses could shift user loyalty.

Apple's Response and Next Steps

Apple has acknowledged the report but not yet released a public statement regarding a patch. In the meantime, users can adopt workarounds such as avoiding email forwarding for sensitive accounts or using dedicated anonymous email services. Security experts recommend that Apple implement stricter header stripping or offer end-to-end encryption for forwarded messages. Until a fix arrives, Hide My Email users should assume that their real addresses may be accessible to determined third parties.