A privacy glitch found in the OS X Yosemite Spotlight search function may leak private details, such as a user’s IP address, to spammers.
The potential privacy glitch affects people who have configured the Mac Mail App to turn off the “load remote content in messages” setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail.
As the images are hosted on a site owned by the sender of the e-mail, the IP address of the viewer of the message can be logged, along with the time of day, and how often the message was viewed. Many users choose to keep their email addresses, IP addresses, and other information private by setting their email reader to not load images unless otherwise instructed.
However, even when remote image viewing is disabled in the Yosemite Mail app, the images will reportedly be opened by Spotlight. The behavior was reported early Friday by German security publication Heise and later confirmed by IDG News.
At this point, it is unknown if Spotlight also overrides image blocking settings in third-party apps. Apple hasn’t commented on the reports.
The only way at this time to block Spotlight from including emails in search results entirely is by opening “System Preferences,” and unchecking the “Mail & Messages” option for Spotlight.