A vulnerability exists in the 'Hide Email' feature available when signing in with Apple, which could lead to email addresses being leaked.

When creating a new account in apps or web services that support 'Sign in with Apple,' you can use the 'Hide Email' feature to hide your original email address and protect your privacy. However, it has been pointed out that this feature has vulnerabilities and could potentially leak your original email address.
Apple 'Hide My Email' Vulnerability Reveals People's Real Email Addresses
Apple's Hide My Email feature has a bug that's been exposing real email addresses, researcher claims | TechCrunch
https://techcrunch.com/2026/07/01/apples-hide-my-email-feature-has-a-bug-thats-been-exposing-real-email-addresses-researcher-claims/
Apple's Hide My Email feature might not be so private after all - Android Authority
https://www.androidauthority.com/apple-hide-my-email-vulnerability-3683561/
The vulnerability was discovered by Tyler Murphy, co-founder of the personal data protection service EasyOptOuts .
The 'Mail Private' feature protects email address privacy by generating a unique, random email address for the user and forwarding emails to that address instead of hiding the original email address. This feature was introduced as a new feature in iOS 15 , released in 2021.
How to use 'Private Email' when signing in with Apple - Apple Support (Japan)
https://support.apple.com/ja-jp/105078

According to Murphy, the 'Private Email' feature is '100% exploitable.' Joseph Cox of the news site 404 Media worked with Murphy to verify this, and they confirmed that even when a new account is created using the 'Private Email' feature, emails are still sent to the original email address.
Murphy noticed this vulnerability in June 2025 and reported it to Apple. A month later, Apple replied that they were 'investigating the issue,' and in March 2026, they reported that 'the issue had been addressed through recent system changes.' However, the problem had not actually been resolved, so Murphy sent additional information. Apple replied again that they were 'investigating the issue,' and the status remains 'under investigation.'
Apple's email stated, 'To avoid putting our customers at risk, please refrain from disclosing information until the investigation is complete.' Murphy replied, 'I think disabling the 'Private Emails' feature until the issue is resolved would be an effective way to reduce the number of users at risk. Is that an option?' However, he received no response to this question, and Murphy decided to release the information because he 'doesn't know why it hasn't been fixed, but is not willing to wait any longer.'
Since the vulnerability has not yet been addressed, Murphy has not disclosed the details of the vulnerability itself.
Furthermore, in June 2026, Apple changed the domain used for its 'Private Email' feature from '@icloud.com' to '@private.icloud.com.' It has been pointed out that this change makes it easier to identify random addresses created with 'Private Email,' potentially making them more likely to be blocked by apps and web services.

Related Posts:
in Web Service, Security, Posted by logc_nt






