Apple's Hide My Email feature, a tool designed to protect user privacy by generating random forwarding addresses, contains a flaw that can expose the real email addresses of iCloud+ subscribers, security researchers have discovered. The issue undermines the core purpose of the service, which is used by millions to shield their inboxes from spam and tracking.
How the Leak Occurs
Researchers identified that the flaw stems from how forwarded emails carry original message headers. When a sender replies to a Hide My Email address, the response includes the user's real address in certain header fields. Email services and recipients can extract this information with simple tools. The exposure methods include:
Apple designed Hide My Email to anonymize correspondence, but the feature relies on proper email routing that can expose data at multiple points.
Why This Matters
The flaw erodes trust in Apple's privacy-focused ecosystem, especially for users who rely on the service for anonymity in transactions or registrations. Real-world consequences include increased spam, targeted phishing attacks, and potential doxxing for journalists or activists. Apple positions privacy as a core value, and this vulnerability directly contradicts that promise. The company must now decide whether to redesign the feature or accept a partial privacy solution that leaves millions at risk. As iCloud+ competes with Google and Microsoft, such security lapses could shift user loyalty.
Apple's Response and Next Steps
Apple has acknowledged the report but not yet released a public statement regarding a patch. In the meantime, users can adopt workarounds such as avoiding email forwarding for sensitive accounts or using dedicated anonymous email services. Security experts recommend that Apple implement stricter header stripping or offer end-to-end encryption for forwarded messages. Until a fix arrives, Hide My Email users should assume that their real addresses may be accessible to determined third parties.



