{"id":27225,"date":"2019-11-06T16:59:03","date_gmt":"2019-11-06T21:59:03","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=27225"},"modified":"2020-02-06T14:59:49","modified_gmt":"2020-02-06T19:59:49","slug":"siri-stores-encrypted-e-mails-in-plain-text","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2019\/11\/06\/siri-stores-encrypted-e-mails-in-plain-text\/","title":{"rendered":"Siri Stores Encrypted E-mails in Plain Text"},"content":{"rendered":"<p><a href=\"https:\/\/medium.com\/@boberito\/apple-mail-stores-encrypted-emails-in-plain-text-database-fix-included-3c2369ce26d4\">Bob Gendler<\/a>:<\/p>\n<blockquote cite=\"https:\/\/medium.com\/@boberito\/apple-mail-stores-encrypted-emails-in-plain-text-database-fix-included-3c2369ce26d4\"><p>The <em>snippets.db<\/em> database is storing encrypted Apple Mail messages&#8230;completely, totally, fully &mdash; <strong>UNENCRYPTED &mdash; <\/strong>readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal. This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.<\/p><p>[&#8230;]<\/p><p>Another database, <em>entities.db<\/em>, stores records of people&rsquo;s names, email, and phone numbers you&rsquo;ve corresponded with. Although the phone number may not be in your contact list, data from emails such as signature blocks and forward information are stored. It&rsquo;s like an address book built for you. This could be touchy, as it may allow quick and easy access to some potentially sensitive information.<\/p>\n<p>[&#8230;]<\/p>\n<p>For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me. [&#8230;] I also have to wonder why it took 99 days for someone to know the answer on how to prevent this. All parties at Apple were alerted multiple times before writing this blog and giving an ample amount of time before I published this.<\/p><\/blockquote>\n<p>You can prevent it by going into the Siri settings and unchecking Mail. This does not remove e-mails that have already been stored in the database.<\/p>\n<p>The <tt>Suggestions<\/tt> folder is protected from apps that haven&rsquo;t been given permission, but the data is unencrypted on disk if you aren&rsquo;t using FileVault.<\/p>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2018\/05\/15\/when-disappearing-messages-dont-disappear\/\">When Disappearing Messages Don&rsquo;t Disappear<\/a><\/li>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2015\/05\/28\/textexpander-5\/\">TextExpander 5 and Notification Center Privacy<\/a><\/li>\n<\/ul>\n\n<p id=\"siri-stores-encrypted-e-mails-in-plain-text-update-2019-11-08\">Update (2019-11-08): <a href=\"https:\/\/www.theverge.com\/2019\/11\/8\/20954130\/apple-mail-encrypted-unencrypted-email-macos-siri-text\">Jay Peters<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.theverge.com\/2019\/11\/8\/20954130\/apple-mail-encrypted-unencrypted-email-macos-siri-text\">\n<p>Apple tells <em>The Verge<\/em> it&rsquo;s aware of the issue and says it will address it in a future software update. The company also says that only <em>portions<\/em> of emails are stored. But the fact that Apple is still somehow leaving parts of encrypted emails out in the open, when they&rsquo;re explicitly supposed to be encrypted, obviously isn&rsquo;t good.<\/p>\n<\/blockquote>\n\n<p id=\"siri-stores-encrypted-e-mails-in-plain-text-update-2020-02-06\">Update (2020-02-06): <a href=\"https:\/\/www.macrumors.com\/2020\/02\/05\/macos-10-15-3-fixes-unencrypted-mail-vulnerability\/\">Juli Clover<\/a>:<\/p>\n<blockquote cite=\"https:\/\/www.macrumors.com\/2020\/02\/05\/macos-10-15-3-fixes-unencrypted-mail-vulnerability\/\">\n<p>Apple in macOS 10.15.3 quietly addressed a bug that left some of the text of encrypted emails unencrypted, reports <em><a href=\"https:\/\/www.theverge.com\/2020\/2\/5\/21125033\/apple-macos-catalina-bug-patch-update-encrypted-emails\">The Verge<\/a><\/em>.<\/p>\n<\/blockquote>\n\n<p>See also: <a href=\"https:\/\/mjtsai.com\/blog\/2020\/01\/28\/macos-10-15-3\/\">macOS 10.15.3<\/a>.<\/p>","protected":false},"excerpt":{"rendered":"<p>Bob Gendler: The snippets.db database is storing encrypted Apple Mail messages&#8230;completely, totally, fully &mdash; UNENCRYPTED &mdash; readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal. This is a big deal for governments, corporations and [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2019-11-06T21:59:07Z","apple_news_api_id":"b01dcaee-379c-405d-9756-48b3936e5a7b","apple_news_api_modified_at":"2020-02-06T19:59:52Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAg==","apple_news_api_share_url":"https:\/\/apple.news\/AsB3K7jecQF2XVkizk25aew","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[126,30,1381,1529,1609,1666,355,247],"class_list":["post-27225","post","type-post","status-publish","format-standard","hentry","category-technology","tag-applemail","tag-mac","tag-macos-10-12","tag-macos-10-13","tag-macos-10-14","tag-macos-10-15","tag-privacy","tag-siri"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27225","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=27225"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27225\/revisions"}],"predecessor-version":[{"id":28056,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/27225\/revisions\/28056"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=27225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=27225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=27225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}