Apple’s Hide My Email Feature Vulnerable to Real Email Address Disclosure
What Happened — A researcher disclosed a flaw in Apple’s Hide My Email service that can allow an attacker to infer the user’s actual email address despite the feature’s intent to mask it. Apple has not yet released a fix, and the issue remains unpatched more than a year after initial reporting.
Why It Matters for Compliance & Audit Readiness
- The flaw bypasses a privacy‑by‑design control that organizations rely on to protect personally identifiable information (PII) in SaaS and cloud‑based workflows.
- SOC 2 privacy criteria (CC6.1, CC6.2) require demonstrable mechanisms for limiting data exposure; an unmitigated vulnerability undermines the evidence you can provide during an audit.
- Verisq’s CookiePLUS Privacy capability helps you map such privacy‑control gaps, generate continuous consent and DSAR readiness evidence, and close the audit‑readiness gap.
Who Is Affected — Consumers and enterprises that use Apple iCloud’s Hide My Email for sign‑ups, especially SaaS providers, marketing platforms, and any service that relies on the alias to protect user identities.
Recommended Actions
- Review your privacy‑control inventory against SOC 2 CC6 requirements; flag any reliance on third‑party alias services.
- Implement supplemental email‑alias monitoring and logging to detect potential address leakage.
- Document the exposure risk and mitigation plan as audit evidence; consider temporary alternative alias solutions until Apple patches the flaw.
Source: Malwarebytes Labs
Technical Notes
- Vulnerability type: design flaw in email‑forwarding logic that can be leveraged to correlate generated aliases with the underlying Apple ID.
- No CVE assigned; disclosed by 404 Media researcher Tyler Murphy (June 2025).
- Apple’s response: investigation ongoing, security update promised but not yet delivered.
Source: Malwarebytes Labs