OS X Spotlight bug leaves users vulnerable

A bug has been discovered in Apple's OS X system-wide search tool, Spotlight, allowing potentially valuable information to be accessible to email phishers, spammers and hackers.

Sending emails containing pictures that are hosted on an external server is a common way for marketers and phishers alike to obtain tracking information from those who open the emails. Many times these images are so tiny that they are invisible to the email recipient, yet their interaction with the users' local server allows for valuable information to be relayed back to the sender. Information like the activity of the email account, browser information, and OS information could all be exploited by cyber-criminals and used to form a targeted attack against the recipient's computer.

A common and efficient way to avoid this information from being tracked is simply by blocking external content from being loaded when opening an email message. Thus, there was cause for concern when German security publication, Heise, uncovered that the Spotlight tool renders such blocking useless when it “previews” emails in its search box. Effectively, externally hosted images are loaded and opened by the preview mechanism, thereby sending the vulnerable data to the external server where the image is hosted.

There is hope, however. Those who are aware of this bug can manually disable mail and message previewing in the search results list that Spotlight generates. Heise has also made a plug-in for Spotlight's preview feature (called Quick Look) available, which shows plain text email previews in place of loading dubious external content.