watchOS 8.5 fixes Mail privacy protection loophole that could expose IP addresses

ios15 mail privacy feature

You Might Be Interested In

watchOS 8.5 fixes a security vulnerability in the Mail app that could have leaked a user’s IP address when downloading remote content, security researchers have found.

ios15 mail privacy feature


Last year, it emerged that Apple’s Mail privacy protection feature had been weakened due to the lack of Apple Watch support. Mail Privacy Protection was a new feature introduced with iOS 15, iPadOS 15, and macOS Monterey that hides your IP address so that senders can’t determine your location or associate email habits with your other online activity. It also prevents senders from tracking whether you’ve opened an email, how many times you’ve viewed the email, and whether you’ve forwarded the email.

The feature works by routing all the content downloaded by the Mail app through multiple proxy servers to snag your IP address, and then assigns it a random IP address that matches your general area, allowing Email senders see general information about you rather than specific information.

Apple Legal Documentation on Mail Privacy Protection Indicates that the feature is only available for iPhone, iPad, and Mac, but is available to security researchers and developers Talal Hajj Bakri and Tommy Miskey Turns out that since the Apple Watch doesn’t hide the recipient’s IP address, it can compromise the overall security provided by Mail Privacy Protection.

The Apple Watch remotely downloads content, such as when receiving a mail notification and opening an email, using the recipient’s real IP address, meaning even for users who enabled Mail privacy protection on their iPhone Had, their IP address may have been exposed.

While Mail Privacy Protection is a feature exclusive to iOS 15, iPadOS 15, and macOS Montereyh, the fact that receiving a Mail notification only on the Apple Watch can reveal the user’s IP address and bypass Mail privacy protections on other devices Can do. , Now, Bakry and Mysk have found that Apple has fixed the problem in watchOS 8.5.

As of watchOS 8.5, loading remote content on the Apple Watch is automatically blocked, and offers the option to “Load content directly” instead. Users can select “Always load content directly” for all new emails or “Ask to load content” on a per-email basis. The release notes for watchOS 8.5 did not include the improvement.

watchOS 8.5 was released to the public yesterday and the update brings a number of other improvements, including updates to irregular heart rhythm notifications designed to improve atrial fibrillation detection, audio cues in Apple Fitness+ Workout, Apple TV’s Ability to authorize purchases and subscriptions, and restore Apple Watch using iPhone.