OS X’s Spotlight Overrides Mail.app Privacy Settings, Could Give Spammers A Leg Up

Spam and marketing emails often contain content—typically images served up from a remote Web server—that make it possible to see if recipients actually opened the message in question. It works similarly to the “tracking pixel” images that many sites use to glean information of who is viewing the site: This typically includes details such as your IP address and some info about your computer—your OS, web browser, and so on.

In OS X’s Mail.app, you can block these tracking methods—often known as “Web bugs”—by opening the Preferences window, going to the Viewing tab, and unchecking the box labelled “Load remote content in messages.” But as IDG News Service’s Loek Essers reports, OS X Yosemite’s Spotlight search disregards this setting, thus defeating its purpose whenever you view previews of email messages within the Spotlight window.

The German tech news outlet Heise originally reported on this issue, but IDG News Service has since been able to confirm its existence.

According to Essers, you would need to turn off Spotlight’s ability to search for and display Mail results in Spotlight in order to avoid the issues—pending a fix from Apple, anyway. To do so, pop open System Preferences, click Spotlight, and go to the Search Results tab. Scroll down, and uncheck “Mail & Messages.”

How big a problem is this?

Although this is a potential privacy issue, it’s important to keep it in perspective. Your passwords aren’t at risk, for instance, and neither are your personal files.

Also, a tracking pixel isn’t the same thing as a tracking cookie: While a tracking pixel or Web bug can provide some information about readers, it shouldn’t be confused with tracking cookies. Advertisers often use tracking cookies to see which websites you visit in order to get an idea of what you’re interested in with the goal to serve you with ads tailored to your interests.

Instead, the concern here is that Spotlight may be indirectly contributing to the proliferation of spam and malware. If spammers and malware distributors know that you’ve opened an email, they may be able to tell that your email address is valid and actively used, and target it with more spam or malware-laden emails. And as Essers points out, “knowing more details about a user’s system could potentially be interesting information for hackers.”

In other words, this Spotlight issue is not a reason for panic, but it is reason for caution. If you can live without seeing email results in Spotlight, consider turning that feature off until Apple issues a fix. And as always, be mindful of the links you click on in emails and the file attachments you download.

[Obligatory disclosure: I am a former IDG employee and current freelance contributor to various IDG publications.]

Nick spends way too much time in front of a computer, so he figures he may as well write about it. He's previously written for IDG's PCWorld and TechHive.