A flaw in Apple’s Hide My Email feature can reveal the real email address behind an address meant to conceal it, according to a security researcher who reported the issue and testing by 404 Media.
404 Media’s Joseph Cox reported that Apple has not fixed the vulnerability for more than a year. The publication said it confirmed the problem on Monday using one of its own masked addresses. It also said the issue remained exploitable at the time of verification.
Hide My Email is supposed to let a person use an Apple-generated address instead of handing over their real one. The point is boring and useful: if a site, app, or other recipient gets the relay address, the user’s actual inbox should stay out of sight. According to 404 Media, the reported bug breaks that privacy promise by letting an attacker discover the underlying address.
The mechanics are not public. 404 Media said it is withholding the exact steps because the vulnerability can still be abused. That leaves users with an ugly but familiar security limbo: enough information to know the protection may fail, not enough information to independently test exposure or judge the risk in detail.
The person who reported the issue told 404 Media that “Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses.” The researcher’s identity and the technical path to exploitation were not disclosed in the publicly available report.
404 Media characterized the attack as something “almost anyone” could use, and attributed that assessment to the researcher and its own testing. The report does not say how many people may have been affected, whether the bug has been exploited in the wild, or whether Apple has given users any warning.
Apple’s apparent delay is the other half of the story. According to 404 Media, the company has had more than a year to address the report and has not delivered a fix. The report does not include a public explanation from Apple for the delay.
For users, the practical takeaway is narrow but uncomfortable: an address created to hide a real inbox may not provide that concealment against someone using the reported vulnerability. Until Apple fixes the issue or explains the scope, the feature’s privacy claim has to be treated as provisional, not guaranteed.
This story draws on original reporting from 404 Media.