Skip to main content

OS X Yosemite Spotlight search ignores Mail content setting posing potential security risk

Apple’s Mac operating system is generally considered to be secure, but German security researchers have discovered what appears to be an oversight in how OS X 10.10 Yosemite’s overhauled search feature, Spotlight, handles remote content loading in messages through the default Mail app.

As Ars Technica reports, Spotlight search on OS X Yosemite appears to be overriding Mail’s security feature that prevents content stored on remote servers like images from being loaded which spammers can use to track personal information including IP address and more.

The way the security setting in Mail is supposed to work functions properly within the Mail app. For example, if you check the toggle labeled ‘Load remote content in messages’ off you will no longer see rich emails with images stored on servers in the message.

This behavior, however, does not extend to Spotlight search on OS X Yosemite. If you disable remote content loading and search for a term that pulls a message from Mail, you will indeed see remote stored content as if the toggle was never switched. As Ars points out, disabling remote stored content is a security feature that prevents email-based spammers from accessing personal information including your IP address.

Remote content enabled versus remote content disabled in OS X Mail

While the remote content load setting is turned off by default of OS X Yosemite, users should expect it to extend to Spotlight search, but alas, that’s not the behavior on the latest version of OS X 10.10.1. In the meantime, concerned users with the preference to not load remote content in messages can avoid using Spotlight search or disable Mail & Messages from Spotlight’s source list in the System Preferences app until a software update fixing the behavior is released.

Youur preferences should appear as above if you decide to disable Mail & Messages content from appearing in OS X Yosemite Spotlight search results.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. Taste_of_Apple - 10 years ago

    Let’s hope they fix this soon.

    • The German “Mac & i” magazine from the heise online publisher has published a better solution: It’s a QuickLook plugin that still functions. No need to disable Spotlight Mail search. The plugin disables data to be preloaded in emails, but only show a data symbol. If you also do Install the QLStephen Quicklook plugin mails searched are shown in Plain-Text version (with no pictures etc.). Not very nice but you can still search emails with Spotlight.
      Unfortunately the linked page is in German language, but the plugin links are available.
      Put both Quicklook plugins in the Library/QuickLook/ Drawer.
      Restart your Mac or type this command in Terminal mode: qlmanage -r (no Restart needed)

      Links:
      http://www.heise.de/mac-and-i/meldung/Workaround-gegen-Datenschutzpanne-in-OS-X-Yosemite-2514653.html
      http://whomwah.github.io/qlstephen/

      Lets hope Apple will soon update Yosemite

  2. Typo in last paragraph “Youur preferences…”

  3. So THIS is why I’m getting SPAM for the first time in about 5 years. THANKS Apple.

  4. Leif Paul Ashley - 10 years ago

    meh… who cares?

Author

Avatar for Zac Hall Zac Hall

Zac covers Apple news, hosts the 9to5Mac Happy Hour podcast, and created SpaceExplored.com.

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications