Apple to Fix macOS Mail Vulnerability That Leaves Text of Some Encrypted Emails Readable

by

There's a vulnerability in the macOS version of the Apple Mail app that leaves some of the text of encrypted emails unencrypted, according to a report from IT specialist Bob Gendler (via The Verge).

According to Gendler, the snippets.db database file used by a macOS function that offers up contact suggestions stores encrypted emails in an unencrypted format, even when Siri is disabled on the Mac.

mailencryptionissue

In this email, Gendler demonstrates that the private key has been made unavailable in Mail, rendering the message unreadable. It continues to be available in the database, though.

Gendler initially discovered the bug on July 29 and reported it to Apple. Over the course of several months, Apple said that it was looking into the issue, though no fix ever came. The vulnerability continues to exist in macOS Catalina and earlier versions of macOS dating back to macOS Sierra.

Let me say that again... The snippets.db database is storing encrypted Apple Mail messages...completely, totally, fully -- UNENCRYPTED -- readable, even with Siri disabled, without requiring the private key. Most would assume that disabling Siri would stop macOS from collecting information on the user. This is a big deal.

This is a big deal for governments, corporations and regular people who use encrypted email and expect the contents to be protected. Secret or top-secret information, which was sent encrypted, would be exposed via this process and database, as would trade secrets and proprietary data.

Apple told The Verge that it has been made aware of the issue and will address it in a future software update. Apple also said that only portions of some emails are stored, and provided Gendler with instructions on preventing data from being stored by the snippets database.

This issue affects a limited number of people in practice, and is not something that macOS users should generally worry about. It requires customers to be using macOS and the Apple Mail app to send encrypted emails. It does not impact those who have FileVault turned on, and a person who wanted to access the information would also need to know where in Apple's system files to look and have physical access to a machine.

Still, as Gendler points out, this particular vulnerability "brings up the question of what else is tracked and potentially improperly stored without you realizing it."

Those concerned about this issue can prevent data from being collected in the snippets.db database by opening up System Preferences, choosing the ‌Siri‌ section, selecting ‌Siri‌ Suggestions & Privacy, choosing Mail and then turning off "Learn from this App." This will stop new emails from being added to snippets.db but won't remove those that have already been included.

Apple told The Verge that customers who want to avoid unencrypted snippets being read by other apps can avoid giving apps full disk access in macOS Catalina. Turning on FileVault will also encrypt everything on the Mac.

Full details on the vulnerability can be read in Gendler's Medium article.

Tag: Apple Mail

Popular Stories

iOS 26

6 New Things Your iPhone Can Do in iOS 26.1

Wednesday October 29, 2025 4:22 am PDT by
Apple is about to drop iOS 26.1, the first major point release since iOS 26 was rolled out in September, and there are at least six notable changes and improvements to look forward to. We've rounded them up below. Apple has already provided developers and public beta testers with the release candidate version of iOS 26.1, which means Apple will likely roll out the update to all compatible...
Read Full Article61 comments
ios 26 1 slide to stop

iOS 26.1 Brings Back 2007 Feature in New Way

Friday October 31, 2025 1:40 pm PDT by
The upcoming iOS 26.1 update includes a small but helpful change for iPhones, and it could prevent you from running late to something important. Specifically, when an alarm goes off in the Clock app, there is a new "slide to stop" control on the screen for turning off the alarm. On previous iOS 26 versions, there is simply a large "stop" button, which could be accidentally tapped. The new ...
Read Full Article53 comments
iOS 26

iOS 26.1 Coming Soon: New Features for Your iPhone and Release Date

Monday October 27, 2025 7:55 am PDT by
The upcoming iOS 26.1 update includes a handful of new features and changes for iPhones, including a toggle for changing the appearance of the Liquid Glass design, "slide to stop" for alarms in the Clock app, and more. Below, we outline key details about iOS 26.1. Release Date Given that Apple has yet to seed an iOS 26.1 Release Candidate, which is typically the final beta version, the...
Read Full Article
M5 MacBook Pro

Waiting for New Macs? Apple Just Shared Bad News

Friday October 31, 2025 7:32 am PDT by
Apple has just given a strong indication that it will not be releasing any additional new Macs for the remainder of the year. Apple's CFO Kevan Parekh dropped the hint during the company's earnings call on Thursday:On Mac, keep in mind, we expect to face a very difficult compare against the M4 MacBook Pro, Mac mini, and iMac launches in the year-ago quarter.Parekh essentially gave a heads up ...
Read Full Article86 comments
iPhone 17 Pro Cosmic Orange

8 Reasons to Wait for Next Year's iPhone 18 Pro

Thursday October 30, 2025 4:42 am PDT by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article118 comments
maxresdefault

Apple TV 4K Could Still Launch Before 2025 Ends: All the Rumored Features

Monday October 27, 2025 4:51 pm PDT by
Apple is designing an updated version of the Apple TV 4K, and rumors suggest that it could come out sometime in the next couple of months. We're not expecting a major overhaul with design changes, but even a simple chip upgrade will bring major improvements to Apple's set-top box. Subscribe to the MacRumors YouTube channel for more videos. We've rounded up all the latest Apple TV rumors. ...
Read Full Article161 comments
ipad mini 7 feature blue

OLED iPad Mini: Release Date, Pricing, and What to Expect

Wednesday October 29, 2025 7:13 am PDT by
Rumors are stoking excitement for the next-generation iPad mini that Apple is reportedly close to launching. So what should we expect from the successor to the iPad mini 7 that Apple released over a year ago? Read on to find out. Processor and Performance Apple is working on a next-generation version of the iPad mini (codename J510/J511) that features the A19 Pro chip, according to...
Read Full Article66 comments
Coffee Burgundy and Purple iPhone 18 Pro Mock 1

Leaker Outlines Potential New Colors for iPhone 18 Pro

Friday October 31, 2025 8:28 am PDT by
Apple's iPhone 18 Pro models could be available in new rich and warm color option, according to a known leaker. The Weibo user known as "Instant Digital" today suggested that next-year's iPhone 18 Pro models will be available in at least one of the following color options: Coffee, purple, and burgundy. The iPhone XR, iPhone 11, iPhone 12, iPhone 14, and iPhone 14 Pro were all available in ...
Read Full Article125 comments
apple tv hd

Apple Launched Its Big New Vision for TV 10 Years Ago Today

Thursday October 30, 2025 8:58 am PDT by
Apple launched the Apple TV HD, the Siri Remote, tvOS, and their accompanying App Store a decade ago today, marking a major overhaul of the device. The new vision for the Apple TV was unveiled on September 9, 2015 during Apple's "Hey Siri" event in San Francisco, where CEO Tim Cook introduced the device with the statement, "The future of TV is apps." The announcement represented a major...
Read Full Article87 comments

Top Rated Comments

Khedron Avatar
Khedron
78 months ago

Apple has so many bugs now. What a shame. They’re all marketing now
Don't worry Tim's on the case...

Season 2 of The Morning Show will feature 20% more Apple logos.
Score: 17 Votes (Like | Disagree)
Dovydas Avatar
Dovydas
78 months ago

This is overblown. S/MIME = HTTPS for e-mail. Encryped webpages are cached and indexed all the time.

Bob Gendler is acting like S/MIME is some super-high security protocol where it isn't. It doesn't protect "Secret or top-secret information".
The point is if you do something do it properly. What else is overblown by your definition? It is just bad attitude to have period.
Score: 14 Votes (Like | Disagree)
dickie001x Avatar
dickie001x
78 months ago

Who doesn't have FileVault turned on???
Me.
Score: 12 Votes (Like | Disagree)
SDJim Avatar
SDJim
78 months ago
Who doesn't have FileVault turned on???
Score: 9 Votes (Like | Disagree)
Rigby Avatar
Rigby
78 months ago

You missed my point. As I said, we index and cache encrypted webpages all the time for user features.
This is a false equivalence. Unless you actually break the end-to-end encryption (e.g. by forcing the user to accept a new root certificate), you can only index encrypted web page content that is accessible without prior authentication. Encrypted email should *never* be readable by anyone but the addressee, neither in transit nor at rest.

This is absolutely a big deal in corporate environments. Full disc encryption is not a replacement, since e.g. it might be decryptable to admins who should not have access to another employee's protected emails.
Score: 6 Votes (Like | Disagree)
jasnw Avatar
jasnw
78 months ago
Given Apple's track record on fixing Mail problems I'd not expect this to be fixed until, well, ever?
Score: 6 Votes (Like | Disagree)
Read All Comments