A claim has been raised that a vulnerability has been found in Apple’s privacy feature, Hide My Email, that could allow a user’s real email address to be tracked.
On July 1 local time, TechCrunch reported that security researcher Tyler Murphy (타일러 머피) said he discovered a bug that could identify real email addresses through one-time addresses generated by Apple’s Hide My Email feature.
Hide My Email is a feature that protects personal information by generating a temporary email address when users sign up for websites or apps instead of using their real email. Apple has introduced it as one of its signature privacy features that reduces online tracking and exposure of personal information.
If the claim is true, there are concerns that the feature’s core purpose could be undermined. Murphy said he reported the vulnerability to Apple more than a year ago. He said the issue has yet to be resolved, and it is not known why Apple has not fixed it.
He claimed that every exploit attempt he tried succeeded. It has not yet been confirmed how much it affects all users, but in tests conducted with limited volunteers, he said 100 percent of Hide My Email addresses could be abused to track real email addresses. He did not disclose specific attack methods or technical details, citing the possibility of real-world misuse.
Online outlet 404 Media also reported that it confirmed the same phenomenon after testing the vulnerability itself. Murphy is also a co-founder of personal data deletion service provider EasyOptOuts (이지옵트아웃츠).
He warned that publicly searchable people-information sites on the internet easily link email addresses with other personal data, saying, "Users who think their personal information is protected by relying only on Hide My Email could be exposed to greater risks than expected."
The controversy is drawing more attention because Apple has positioned privacy protection as a core brand value. Apple has highlighted privacy as a key competitive edge of iPhone and iCloud services, but there have also been previous disputes over the effectiveness of related features. In 2022, a class-action lawsuit was filed after allegations emerged that some apps continued to send usage information to Apple even when the iPhone analytics data transmission feature was disabled.
In 2023, research results were also published saying the randomized MAC address feature, provided to hide users’ real device information when connecting to Wi-Fi, could expose real MAC addresses in certain situations. This vulnerability could also lead to controversy over the reliability of privacy protection features.
So far, Apple has not issued an official position on the vulnerability claim. The industry is watching whether Apple will verify whether the bug exists and release a security patch, and whether it will provide separate guidance to existing users.