Summary created by Smart Answers AI
In summary:
- Macworld reports that Apple’s Hide My Email feature contains a vulnerability that can expose users’ real email addresses despite being designed for anonymity.
- This security flaw was discovered by Tyler Murphy and reported to Apple over a year ago, but remains unpatched according to 404 Media’s verification testing.
- Users relying on this iCloud+ privacy feature for protection should consider alternative email solutions until Apple addresses the ongoing vulnerability.
A new report by 404 Media states that Apple’s Hide My Email feature contains a vulnerability that can be used to reveal the true email address behind the one that Apple generates for you. The vulnerability, which was found by Tyler Murphy, was reported to Apple last year, and has yet to be fixed.
404 Media did not disclose how the vulnerability can be used, but it did perform its own testing and verified that the actual email address behind one created with Hide My Email was uncovered. Standard practice in the security community is not to disclose any findings until after the vulnerabilities have been fixed, but since it’s been a year, Murphy went public in an effort to pressure Apple to address the problem.
A month after he made his initial report to Apple, Murphy was told that an update had provided a fix. But Murphy was able to expose the vulnerability after the supposed patch and provided Apple with more details. Last May, Murphy was told that Apple was still investigating the issue.
Hide My Email is a feature of iCloud+ that allows users to create and use an anonymous email address when signing up for online accounts. It’s a popular feature because it allows users not to use their actual email address and maintain an amount of privacy. “If you choose the Hide My Email option, only the app or website you created the account with can use this unique email address to communicate with you,” according to an Apple support document. Emails are still routed to your main iCloud account, but the identity is meant to be hidden.
While the vulnerability hasn’t been publicly defined, users should be wary of the effectiveness of Hide My Email. You could continue using it, but know that it might not be completely private. If you’re not convinced Hide My Email is doing its job, you can alternatively create a separate email account at a free online email service such as Gmail or Yahoo for the specific purpose of non-critical logins, and use it until Apple addresses the issue.
Perhaps related, Apple announced a recent change to Hide My Email, where the email address created uses @private.icloud.com instead. That’s different from @icloud.com and could allow services to filter the two domains and reject @private.icloud.com from being accepted when an email address is demanded. Apple said the change is coming later this summer.



