I clearly remember many years ago that this wasn’t the case with Gmail, when looking for the source IP address in a case involving harassment of a person. I could only get Gmail’s own IP address in the headers from the multiple emails I examined at that time.
Nevertheless, as js2 said in another comment, it’s your mail provider (in this case Gmail) deciding whether to include the sender’s IP address or not.
lapcat 10 hours ago [-]
It's not a Gmail thing:
> The reason why my IP address is visible is because Apple Mail sends emails with SMTP.
Unless you use a proxy, your IP address is visible to an SMTP server, just like it's visible to an HTTP server when you use a web browser. This is not specific to Apple Mail or to Gmail.
saagarjha 9 hours ago [-]
Yeah but I think Gmail seems to actually just keep that header rather than nuking it. To be fair I don't entirely know what I would do to fix it since (like the post) this seems like there aren't many good options here.
js2 7 hours ago [-]
Gmail's SMTP servers are what's adding the received header with your IP address, not Apple Mail.
lapcat 8 hours ago [-]
> I think Gmail seems to actually just keep that header rather than nuking it.
I think that's common among email providers.
7 hours ago [-]
frollogaston 10 hours ago [-]
Yes, was able to repro just now
fckapple 13 hours ago [-]
It’s in the headers. Send an email to your self from Mail and open the source in the inbox. There is your IP.
xoa 11 hours ago [-]
I also just tried this as well, sending an email from a Migadu-based account to one at both Gmail and MXRoute using Mail.app under macOS 15.7.7. Neither included any private IP address info I could find in either headers or raw source. That would be a good leak to know about and as sibling comment said saagarjha definitely knows their stuff, so any tips to replicate would be appreciated.
fckapple 13 minutes ago [-]
Received: from smtpclient.apple (ptr. [ip])
by smtp.gmail.com with ESMTPSA id ...
for <...>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Thu, 02 Jul 2026 ..:..:.. -0700 (PDT)
Using Mail: Version 16.0 (3864.600.51.1.1).
Sent from a Google Apps mail.
ChrisMarshallNY 12 hours ago [-]
Is this from iOS? I just tested from MacOS, and the only IPs were for the transit and auth servers.
I'm not actually doubting it. saagarjha knows his stuff. I just don't see it, so maybe I'm holding it wrong.
Same, I remember it being in the headers long ago but don't see it now. macOS Tahoe, Mail.app client, iCloud email sending to itself or to my Gmail, both set up in default ways, IPv6 disabled
ChrisMarshallNY 7 hours ago [-]
From what I see above, it looks like the trick is to send from Mail.app to an account read by a different app (maybe just Gmail?).
I would need to test with my hosting Webmail client, so maybe tomorrow.
Not for me. I don’t even remember when (or since how many years ago) I turned off Protect My Email and turned on both Hide IP Address and Block All Remote Content. I still have these toggles as they are, despite the fact that I use beta releases as and when they’re released (currently still on iOS 26.x).
LoganDark 14 hours ago [-]
Fetching any email content is always worse than blocking it, because the typical threshold for spam is "is this inbox monitored". If that is true, then blast it with spam. And fetching anything ever proves that the inbox is monitored.
4 hours ago [-]
layer8 14 hours ago [-]
My impression as a Mutt user (which never downloads linked content) is that spammers don’t really care about whether an inbox is “monitored” or not.
tyre 13 hours ago [-]
At least in Gmail, downloading content (e.g. images) is disabled by default for suspicious emails. There is no way for the sender to know if it’s monitored unless this is disabled by explicit user action.
4 hours ago [-]
godelski 11 hours ago [-]
This freaked me out the first time I used Mail. It rendered a PDF about buying bitcoin on PayPal (I don't have PayPal). Looked at the same email in Gmail and Thunderbird, it's just a PDF attachment, no message, and the sender was different. No wonder people are falling for those scams, Mail makes it easy for them.
Now if only I had a better client on my phone (never buying an iPhone again)
bzbz 7 hours ago [-]
What made you prefer Mail to Gmail, given you don’t seem satisfied with Apple’s Mail app?
godelski 13 minutes ago [-]
I prefer Thunderbird
jijijijij 11 hours ago [-]
I am starting to think all these "privacy" features merely exist as excuse for getting people to hand off their mails to Apple. Clearly the all do not deliver on the intended functionality, but the proxy/relay routing happens to some extent anyway. How convenient. If you were a company promising its users all the privacy, but secretly not giving a fuck beyond collecting user traffic and meta data, wouldn't you expect the state of things to look exactly like that? I mean, how could you explain this any other way, considering the size of Apple and the relative ease of developing such features reliably? Apple is hardly breaking ground here.
alexpc201 13 hours ago [-]
I guess the vulnerability should work as follows (I haven't tried it), you send an email with a very large attachment to a "hide my email" address, the server that receives it (private.icloud.com) forwards it to the email server registered in iCloud which, being the very large attachment, sends a response email (from the real address) with the rejected email message. It's the first thing I would try.
js2 10 hours ago [-]
Apple rewrites the From address of before forwarding so that replies go back through its SMTP servers. Those SMTP servers should rewrite the reply not to leak information.
VladVladikoff 11 hours ago [-]
Yeah it’s a good guess. I was also thinking there might be some header leaks. Or possibly if you return server busy on the first attempt or something like this, some sort of edge case the developers overlooked.
ljsocal 2 hours ago [-]
I submitted your post to Apple’s feedback for on iCloud. If others do the same, perhaps they’ll take notice:
Is it based on mail undeliverable errors? Or attempts to login using IMAP or SMTP with it? Or is it exposed during the SMTP protocol?
Dibby053 16 hours ago [-]
My guess would be it has nothing to do with email itself. Maybe it's some iCloud API that accepts obfuscated emails but returns the original email in the response, or an ID which can be used to retrieve the iCloud email from another API endpoint. Could be as simple as an "add contact/friend" feature in some Apple product (like a mail client, or a file sharing service) that resolves the obfuscated email to the original iCloud account.
freehorse 12 hours ago [-]
In the comment section of the 404media article Joseph Cox writes when asked whether it reveals the icloud address the email is forwarded to or the apple id [0]:
> It reveals the email linked to the Apple ID.
So I assume you are right that it has nothing to do with the email itself, but prob some other service that links the obfuscated email to the appleid of the user.
I think they are hinting at the ad hoc "use hidemyemail" feature within e.g. the mail client.
I don't know what I am doing, but from a quick test, the mail header is at least disclosing the internal recipient (mail@host.com) "translation address" (as mail_at_host_com_12345abc_12345abc@icloud.com) and an alias creation date. But the latter seems to be a unix timestamp related to the real address alias creation time and is identical between an hidemyemail mail and a normal one, so there may be already a possible information leak for correlation. Side note, it also seems like the sending hidemyemail server contains the unsuspicious name "junk_forwarder". Lol.
Disclosing an address as alias and particularly as throwaway alias (through the translation address and server) already seems kinda counterproductive to begin with, but I would bet you can use this information somehow to get the sender "translation address". Either by some API interaction, or by messing with the mail header scrubbing of the translation service somehow. A server named "junk_forwarder" may be a little more lenient about what to accept or not.
Edit: Can confirm the Reddit comment linked. You simply send an email to the HME address, reply from Apple mail client, and then the real mail address gets disclosed. Mind you not even hidden. It's shown as sending from the HME alias in mail, but I received the mail with the real address as sender......... Jesus fucking christ, Apple. Did you even test this a little?
impish9208 13 hours ago [-]
> You send an email to the HME address, reply, and then the real mail gets disclosed in the mail source.
Does the initial sender matter? Like if it’s the HME address that sends first and receives the reply? I have around 180 of these addresses.
jijijijij 13 hours ago [-]
> then the real mail gets disclosed in the mail source.
It's not just in the source, I totally overlooked the fact the real email address is shown as sender. Lol.
> Does the initial sender matter? Like if it’s the HME address that sends first and receives the reply? I have around 180 of these addresses.
Appears so. Here is exactly what I did:
1. Created the HME through mail, sending to other email service address (OMA). (This disclosed the information in my original comment.)
2. Did some reply ping pong. (No additional disclosure.)
3. Send a new email from OMA to above HME.
4. Replied from iOS mail client (UI showing usage of HME alias. Yes, I verified this multiple times not to make a fool of myself.)
5. Received at OMA, the real address is disclosed.
6. On the iOS client side, the mail shows up as sent from the real mail address, too.
Not sure if 1. for HME creation is required, you can likely skip straight to 3. for any HME address.
Funny enough, I observed 6. in the wild before, but was kinda hoping that's an artifact of forwarding a copy of the mail to the thread. I tested this some, but not this particular ping-pong. So yeah... I now gonna check where I evidently leaked my real mail address already...
Barbing 10 hours ago [-]
Did #1 on macOS Mail.app, but #4 on iOS Mail client like you.
#5., real address not disclosed at OMA for me.
(now that I see the reddit thread) is this potentially Yahoo/Sonic-only?
dustyharddrive 11 hours ago [-]
6. is a sign of bad UX but not leakage to the recipient.
hunter2_ 16 hours ago [-]
As someone who doesn't rely on this feature, I'd love to know now as well, but perhaps the etiquette in public would be to align ourselves with:
> we will not discuss or disclose the details of the exploits until they're fixed.
But if there's a public forum where the cat's already out of the bag, then game on. Perhaps this:
...which makes it seem like perhaps the attack surface is limited to scenarios involving a Yahoo/Sonic address (assuming that Apple only sends X-Sonic-* headers when talking to those providers that want to see it), which might be a small percentage of users.
15 hours ago [-]
14 hours ago [-]
nashashmi 15 hours ago [-]
I wonder if it is replies to delivery receipts that causes this problem
10 hours ago [-]
10 hours ago [-]
alwa 15 hours ago [-]
It’s hard for me to assess how real this risk is. Without details, we’re just extrapolating from circumstantial vibes.
What’s described sounds like it might be spooky. It might also be a magic trick to some degree… Mr. Cox’s PoC—“I gave a fresh Hide-My-Email alias to a guy who knows who I am, and he told me the email on my Apple ID”—is consistent with the claimed behavior but not exactly watertight.
It also sounds like it might be the sort of thing that’s either “just how the email ecosystem works” or mitigable by covert means. For example, if Apple can identify exploit attempts from its privileged vantage over its infrastructure, maybe that’s the basis for its relaxed impact assessment.
I’m reminded of Amazon’s risk assessment with respect to some Quick bug recently [0]: “yeah, it’s bad, but we checked and there are literally zero people other than you who’ve ever used that feature that way.”
Or maybe it’s the kind of thing that requires a structural sort of tradeoff to conclusively fix. I could imagine the exposure mechanism having something to do with their forthcoming move to segregate aliases to their own “private.icloud.com” domain.
(A move at which Mr. Cox swipes in the 404 Media article, too, of course, but hey—“impact journalism.”)
And then, since we have only vibes to go on, there’s the judgment reflected in the researcher’s email to Apple:
> “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.
I can only hope that was a sardonic moment of frustration quoted out of context… Hide My Email is “sold” as a tiny tiny bonus feature of a much bigger iCloud+ product. But as-quoted, it’s giving a little bit of Chicken Little… I’m reminded of the time somebody demanded that a firm I’m familiar with halt all sales (and pay hush money) because of a CRITICAL SECURITY HOLE: you could access the contents of a password field by typing the password in the field, pressing F12 in the browser, and typing $(“#pw-input”).value …
If the flaw really is the sort of thing that required fundamental product changes to fully address—like this domain segregation thing—a year doesn’t seem wild at all to make that transition safely and at scale. Especially if they identified effective mitigations in the meantime.
> > “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.
> I can only hope that was a sardonic moment of frustration quoted out of context
I didn't make my point clearly there, and I think it makes more sense in context, but it was a sincere suggestion that Apple could stop allowing new people to use Hide My Email. There are many other email aliasing services, so they wouldn't be depriving people of a unique offering. At the time, I wasn't aware that Hide My Email was only available as part of iCloud+. All I knew was that it wasn't free.
alwa 13 hours ago [-]
Makes sense to me! I'd gone off the 404 Media article originally linked. The way you put it in your blog timeline (now the link of record) makes perfect sense to me:
> We hope that Apple will take steps to limit the attack surface area even before the vulnerability is fixed. Disabling creation of new Hide My Email addresses could be helpful. It also seems responsible to notify all Hide My Email users of the risk.
Thank you for your work, and your persistence against our Sphinx-like overlords!
Can you please clarify whether this is only an issue if I reply to an email sent to one of my HME addresses or whether you can unmask any HME address w/o needing a reply from the recipient.
Can you also clarify whether it matters what the forwarding address is? e.g. whether my HME addresses forward to an icloud.com address (e.g. js2@icloud.com) or say a personal domain associated with my Apple ID (e.g. js2@example.org).
culi 13 hours ago [-]
Thanks for everything y'all do with Easy Opt Outs. I've put a number of family members and acquaintances onto it. I'm glad this service exists at an actually affordable rate
dang 16 hours ago [-]
Thanks! We'll make that the main URL and put the submitted link in the toptext.
To me it seems, at least in this instance there is not even an exploit needed and the feature apparently is just broken beyond belief.
Jbird2k 14 hours ago [-]
As someone who uses this feature I never send messages from a hide my email address as I only use it for random email signups. Am I still at risk of having my email exposed??? It’s also handy for using for free trials lol.
16 hours ago [-]
FabHK 16 hours ago [-]
That's disappointing, both that the vulnerability exists in the first place, and that Apple takes over a year to not even fix it.
kevin_thibedeau 14 hours ago [-]
They're a struggling company and can't hire top talent.
chrisjj 15 hours ago [-]
Not as disappointing as the discover's decision to leave affected users ignorant and hence at risk.
fsuts 16 hours ago [-]
I think you should formally write to Apple and give notice of 30 days to contact you or you will reveal it.
Send it to the USA media and regulator too
tjames7000 15 hours ago [-]
I've been going back and forth with Apple about it for a year. We don't feel comfortable releasing the exploit details even though they're being slow. We think enough people rely on Hide My Email for personal safety that it would be irresponsible.
bill_mcgonigle 7 hours ago [-]
Hopefully nobody in the criminal underworld has figured it out on their own.
Do you believe the mitigation would be difficult to engineer? If, say somebody else, publicly disclosed the unmasking technique how long would you guess it would take Apple to implement a verifiable fix?
chrisjj 15 hours ago [-]
> We think enough people rely on Hide My Email for personal safety that it would be irresponsible.
I am guessing you haven't tried that excuse on the users your witholding is leaving exposed.
tjames7000 14 hours ago [-]
We're hoping that by notifying people that there's a vulnerability, people can stop using Hide My Email if it matters to them. I don't think that disclosing the exploit method will get Apple to fix it faster at this point.
officeplant 13 hours ago [-]
Its the only reason I even pay the $1 a month icloud plan, so might as well cancel it if its gonna be eternally broken.
chrisjj 13 hours ago [-]
The problem there is
users cannot evaluate if it matters to them whilst all information needed to do so is being witheld.
ezfe 13 hours ago [-]
If having your personal email exposed would be a matter of personal safety or similar, then stop using it. If you're just using it for junk mail or to get a free trial then keep using it.
hunter2_ 12 hours ago [-]
Yes, but a mitigation suggestion like "keep using it, except don't do X specific sequence" (for example, send to a Yahoo address via the Reply button, or whatever the case may be) could be helpful as well, since it seems that bad actors (and/or good actors spilling the beans) will figure it out sooner than later anyway.
The value of Hide My Email, SimpleLogin is that you can blend in with the crowd. If you use your own domain then the domain becomes the common link.
sunnybeetroot 14 hours ago [-]
Why not just use cloudflare with catch all email routing?
15 hours ago [-]
jijijijij 15 hours ago [-]
I think "real email" address is underselling it, since that's commonly the apple-ID, which is the gateway to some people's whole digital existence. Not to mention the fact, you tend to use hidemyemail in particular for services you don't want any identity leaked to. The "real email" may contain your legal name already.
charlesfries 14 hours ago [-]
"This is the one thing we didn't want to happen"
frollogaston 12 hours ago [-]
Ok, yet another reason I have a totally separate burner Gmail instead of complicating things like this.
kittikitti 15 hours ago [-]
I use this feature often and I'm very disappointed. Depending on the exploit, I'm awaiting to join a class action lawsuit. I'm constantly humiliated by believing Big Tech's security promises and I've had enough. I suspect that this is yet another intentional backdoor. When these security systems fail, people like me experience violence.
cindyllm 15 hours ago [-]
[dead]
bubbi 16 hours ago [-]
[dead]
maram 13 hours ago [-]
[flagged]
mvdtnz 13 hours ago [-]
Sorry I'm not seeing how your comment is relevant to the orignal post, can you clarify?
maram 12 hours ago [-]
The post is about a vulnerability in Apple under CEO Tim Cook, who did horrible things after Steve Jobs died — most importantly, changing the UI/UX.
They don't seem to know or care what is going on with their own email systems.
Nevertheless, as js2 said in another comment, it’s your mail provider (in this case Gmail) deciding whether to include the sender’s IP address or not.
> The reason why my IP address is visible is because Apple Mail sends emails with SMTP.
Unless you use a proxy, your IP address is visible to an SMTP server, just like it's visible to an HTTP server when you use a web browser. This is not specific to Apple Mail or to Gmail.
I think that's common among email providers.
Using Mail: Version 16.0 (3864.600.51.1.1).
Sent from a Google Apps mail.
I'm not actually doubting it. saagarjha knows his stuff. I just don't see it, so maybe I'm holding it wrong.
I would need to test with my hosting Webmail client, so maybe tomorrow.
Now if only I had a better client on my phone (never buying an iPhone again)
https://www.apple.com/feedback/icloud/
> It reveals the email linked to the Apple ID.
So I assume you are right that it has nothing to do with the email itself, but prob some other service that links the obfuscated email to the appleid of the user.
[0] https://www.404media.co/apple-hide-my-email-vulnerability-re...
I don't know what I am doing, but from a quick test, the mail header is at least disclosing the internal recipient (mail@host.com) "translation address" (as mail_at_host_com_12345abc_12345abc@icloud.com) and an alias creation date. But the latter seems to be a unix timestamp related to the real address alias creation time and is identical between an hidemyemail mail and a normal one, so there may be already a possible information leak for correlation. Side note, it also seems like the sending hidemyemail server contains the unsuspicious name "junk_forwarder". Lol.
Disclosing an address as alias and particularly as throwaway alias (through the translation address and server) already seems kinda counterproductive to begin with, but I would bet you can use this information somehow to get the sender "translation address". Either by some API interaction, or by messing with the mail header scrubbing of the translation service somehow. A server named "junk_forwarder" may be a little more lenient about what to accept or not.
Edit: Can confirm the Reddit comment linked. You simply send an email to the HME address, reply from Apple mail client, and then the real mail address gets disclosed. Mind you not even hidden. It's shown as sending from the HME alias in mail, but I received the mail with the real address as sender......... Jesus fucking christ, Apple. Did you even test this a little?
Does the initial sender matter? Like if it’s the HME address that sends first and receives the reply? I have around 180 of these addresses.
It's not just in the source, I totally overlooked the fact the real email address is shown as sender. Lol.
> Does the initial sender matter? Like if it’s the HME address that sends first and receives the reply? I have around 180 of these addresses.
Appears so. Here is exactly what I did:
1. Created the HME through mail, sending to other email service address (OMA). (This disclosed the information in my original comment.)
2. Did some reply ping pong. (No additional disclosure.)
3. Send a new email from OMA to above HME.
4. Replied from iOS mail client (UI showing usage of HME alias. Yes, I verified this multiple times not to make a fool of myself.)
5. Received at OMA, the real address is disclosed.
6. On the iOS client side, the mail shows up as sent from the real mail address, too.
Not sure if 1. for HME creation is required, you can likely skip straight to 3. for any HME address.
Funny enough, I observed 6. in the wild before, but was kinda hoping that's an artifact of forwarding a copy of the mail to the thread. I tested this some, but not this particular ping-pong. So yeah... I now gonna check where I evidently leaked my real mail address already...
#5., real address not disclosed at OMA for me.
(now that I see the reddit thread) is this potentially Yahoo/Sonic-only?
> we will not discuss or disclose the details of the exploits until they're fixed.
But if there's a public forum where the cat's already out of the bag, then game on. Perhaps this:
https://www.reddit.com/r/apple/comments/1ukilw1/apple_hide_m...
...which makes it seem like perhaps the attack surface is limited to scenarios involving a Yahoo/Sonic address (assuming that Apple only sends X-Sonic-* headers when talking to those providers that want to see it), which might be a small percentage of users.
What’s described sounds like it might be spooky. It might also be a magic trick to some degree… Mr. Cox’s PoC—“I gave a fresh Hide-My-Email alias to a guy who knows who I am, and he told me the email on my Apple ID”—is consistent with the claimed behavior but not exactly watertight.
It also sounds like it might be the sort of thing that’s either “just how the email ecosystem works” or mitigable by covert means. For example, if Apple can identify exploit attempts from its privileged vantage over its infrastructure, maybe that’s the basis for its relaxed impact assessment.
I’m reminded of Amazon’s risk assessment with respect to some Quick bug recently [0]: “yeah, it’s bad, but we checked and there are literally zero people other than you who’ve ever used that feature that way.”
Or maybe it’s the kind of thing that requires a structural sort of tradeoff to conclusively fix. I could imagine the exposure mechanism having something to do with their forthcoming move to segregate aliases to their own “private.icloud.com” domain.
(A move at which Mr. Cox swipes in the 404 Media article, too, of course, but hey—“impact journalism.”)
And then, since we have only vibes to go on, there’s the judgment reflected in the researcher’s email to Apple:
> “It seems that ending new sales of Hide My Email until the problem is fixed would be an effective way to limit the number of customers at risk. Is that an option?” Murphy wrote back.
I can only hope that was a sardonic moment of frustration quoted out of context… Hide My Email is “sold” as a tiny tiny bonus feature of a much bigger iCloud+ product. But as-quoted, it’s giving a little bit of Chicken Little… I’m reminded of the time somebody demanded that a firm I’m familiar with halt all sales (and pay hush money) because of a CRITICAL SECURITY HOLE: you could access the contents of a password field by typing the password in the field, pressing F12 in the browser, and typing $(“#pw-input”).value …
If the flaw really is the sort of thing that required fundamental product changes to fully address—like this domain segregation thing—a year doesn’t seem wild at all to make that transition safely and at scale. Especially if they identified effective mitigations in the meantime.
Then again, maybe they really are negligent…
[0] https://www.theregister.com/columnists/2026/05/13/aws-patche...
> I can only hope that was a sardonic moment of frustration quoted out of context
I didn't make my point clearly there, and I think it makes more sense in context, but it was a sincere suggestion that Apple could stop allowing new people to use Hide My Email. There are many other email aliasing services, so they wouldn't be depriving people of a unique offering. At the time, I wasn't aware that Hide My Email was only available as part of iCloud+. All I knew was that it wasn't free.
> We hope that Apple will take steps to limit the attack surface area even before the vulnerability is fixed. Disabling creation of new Hide My Email addresses could be helpful. It also seems responsible to notify all Hide My Email users of the risk.
Thank you for your work, and your persistence against our Sphinx-like overlords!
Can you also clarify whether it matters what the forwarding address is? e.g. whether my HME addresses forward to an icloud.com address (e.g. js2@icloud.com) or say a personal domain associated with my Apple ID (e.g. js2@example.org).
To me it seems, at least in this instance there is not even an exploit needed and the feature apparently is just broken beyond belief.
Send it to the USA media and regulator too
Do you believe the mitigation would be difficult to engineer? If, say somebody else, publicly disclosed the unmasking technique how long would you guess it would take Apple to implement a verifiable fix?
I am guessing you haven't tried that excuse on the users your witholding is leaving exposed.
Apple is about to make Hide My Email useless
https://news.ycombinator.com/item?id=48559935
https://github.com/webmonch/hide-my-mail-cloudflare