logoalt Hacker News

rubatugatoday at 5:22 PM4 repliesview on HN

Is it based on mail undeliverable errors? Or attempts to login using IMAP or SMTP with it? Or is it exposed during the SMTP protocol?


Replies

hunter2_today at 5:25 PM

As someone who doesn't rely on this feature, I'd love to know now as well, but perhaps the etiquette in public would be to align ourselves with:

> we will not discuss or disclose the details of the exploits until they're fixed.

But if there's a public forum where the cat's already out of the bag, then game on. Perhaps this:

https://www.reddit.com/r/apple/comments/1ukilw1/apple_hide_m...

...which makes it seem like perhaps the attack surface is limited to scenarios involving a Yahoo/Sonic address (assuming that Apple only sends X-Sonic-* headers when talking to those providers that want to see it), which might be a small percentage of users.

show 1 reply
Dibby053today at 5:32 PM

My guess would be it has nothing to do with email itself. Maybe it's some iCloud API that accepts obfuscated emails but returns the original email in the response, or an ID which can be used to retrieve the iCloud email from another API endpoint. Could be as simple as an "add contact/friend" feature in some Apple product (like a mail client, or a file sharing service) that resolves the obfuscated email to the original iCloud account.

show 1 reply
nashashmitoday at 6:32 PM

I wonder if it is replies to delivery receipts that causes this problem