Explanation: the OS X Yosemite, Spotlight and Mail Privacy Bug

One of the ways OS X users avoid being tracked is to turn off the loading of remote content in Mail preferences. However, a German researcher has discovered that Spotlight in Yosemite bypasses this preference. What's all the fuss about and what can you do about it?

Executive Summary

First, if you've been loading remote content in your emails already, the result is nothing new. Second, this isn't really a security breach so much as the normal kind of tracking that many websites and marketers engage in. Even so, if you want to know what's going on and how to work around the OS X Yosemite bug, then read on.

The Basics: Tracking Via Embedded Images

First, the email basics. When you read an email, there may be embedded images. Most of the time, they are harmless, especially if coming from a known acquaintance or a business you trust. However, some spam or malicious emails configure the images so that when they load (and you view them), tracking information is sent back to the originator. In fact, the image may be as small as a single pixel, one that you'll never notice. This is done with what's called a Web bug (on a site) or a tracking pixel (in an email).,

The information that's sent back includes your WAN IP and your OS and version. The WAN IP can be used to generally identify your ISP and location. Your OS and version could be a clue to unpatched vulnerabilities. (That's a good reason to always be using the latest version of OS X.)

If you don't want these included images to ever load in Mail, there is an Apple Mail preference: Viewing > Load remote content in messages. That's a good first line of defense to prevent tracking. Another is to use a utility like C-Command's Spam Sieve so that you hardly ever look at a spam message.

Turn off this option to prevent remote content/images from loading in Mail.

If this option is unchecked, you can still elect to load the images from a site you trust. There will be banner at the top of the email. Click on "Load Remote Content." It's a choice to balance annonymity vs. convenience.

This banner will appear if you've unchecked the Mail Preference box above.

The Bug

According to a German website heise.de, the problem arises when you do a Spotlight search for Mail. If, as a result of a Spotlight search, you click on an email in the sidebar, any embedded images will still be loaded, even if you have the preference mentioned above turned off. As a result, the tracking info is still sent.

This is something that Apple needs to fix in order to preserve consistent handling of the Mail app Viewing preference.

Short Term Fix

You can temporarily sidestep this bug by telling Spotlight not to index your emails. You can do that in System Preferences > Spotlight > Search Results. That's an inconvenience to be sure, but presumably you can turn it back on when the bug is fixed.

Uncheck this box to stop Spotlight from indexing your emails.

Discussion

If you've always had remote content loaded, pay close attention to spam and suspicious emails, and don't care about tracking information sent back to the originator, then there's not much to worry about.

However, if you're paranoid and want to eliminate this avenue for others to track you, then follow the Preference options above. We'll follow-up and report, if possible, when this Yosemite Spotlight bug is fixed.

For some additional discussion on this bug, it was covered by TMO's Adam Christianson in Maccast 2015.01.11 starting at time stamp 00:35:03.