Spotlight Suggestions and Web Bugs
Using the Spotlight search feature in OS X Yosemite can leak IP addresses and private details to spammers and other e-mail-based scammers, according to tests independently performed by two news outlets.
[…]
Mail allows users to block remote images for precisely this reason. But even when remote image viewing is disabled in Yosemite-based Mail app settings, the images will be opened by Spotlight, according to two recent media reports. The feature is used to search a Mac for files or e-mail containing a specified search term. When spotlight returns a preview of e-mails containing the term, it loads the images, overriding the option. Images are loaded even when the previewed message has landed in a users’ junk mail folder.
As described above, email can be turned into a pseudo webpage by requesting server-side images — including tracking pixels — be loaded into them. Instead of attaching an image, which embeds the image in the email, they pull it from a website: http://example.com/image.gif. If “load remote content” is enabled, that image will be pulled as soon as you open the email, and the website will get your IP address and other information just as if you visited the site directly.
As I recall, the same bug has always been present in Quick Look. Quick Look thumbnails seemingly try to load the images but are thwarted by the sandbox. Quick Look previews load the images regardless of the setting in Mail.
See also: Spotlight Suggestions and Privacy and SpamSieve’s documentation on Web bugs.
4 Comments RSS · Twitter
I know a great many « Apple Heads » look down on Little Snitch, but I find blocking all network access to the Spotlight and Quick Look processes saves a lot of headaches on Yosemite. Not only does it improve privacy — albeit in a sledgehammerry kind of way —, it prevents either of them from going down a resource-consuming rabbit hole of remote data fetching, which often results in time-outs, spinning beach balls, and whirling fans.
"I know a great many « Apple Heads » look down on Little Snitch"
Who are these people? It's the first app I install on any Mac.