A recently discovered vulnerability in the macOS Mail app caused by Siri that currently affects Catalina and the previous three releases means that users’ encrypted emails actually aren’t. While Apple is working on a fix for the bug, read on for more details about the issue and a couple of workarounds to solve the problem now.
Reported by The Verge, Apple IT specialist Bob Gendler discovered the vulnerability over three months ago and reported it to Apple on July 29th. After quite the wait, Gendler heard back from Apple this week with a solution. It will be included it in a future update. He shared more about his findings in a Medium post this week.
Gendler discovered the macOS Mail app encryption bug affects Catalina, Mojave, High Sierra, and Sierra users. Last year we saw a vulnerability in the HTML rendering of the iOS and macOS Mail apps that also made the app’s standard encrypted emails able to be seen in plaintext. This new bug has to do with Siri analyzing emails and leaving an unencrypted version available to access.
But Gendler discovered that one of those files, snippets.db, was storing the unencrypted text of emails that were supposed to be encrypted. Here’s an image he shared that’s helpful to explain what’s going on:
How to make sure your emails on macOS are encrypted
While Apple works on a fix for this bug, there are two ways to make sure your emails remain encrypted.
Option 1:
- Turn on FileVault via System Preferences > Security & Privacy > FileVault
Option 2:
- If you prefer not to turn on FileVault, you can turn off Siri from analyzing your email
- Head to System Preferences > Siri > Siri Suggestions & Privacy
- Click Mail and then uncheck Learn from this App
