Apple’s Mac operating system is generally considered to be secure, but German security researchers have discovered what appears to be an oversight in how OS X 10.10 Yosemite’s overhauled search feature, Spotlight, handles remote content loading in messages through the default Mail app.
As Ars Technica reports, Spotlight search on OS X Yosemite appears to be overriding Mail’s security feature that prevents content stored on remote servers like images from being loaded which spammers can use to track personal information including IP address and more.
The way the security setting in Mail is supposed to work functions properly within the Mail app. For example, if you check the toggle labeled ‘Load remote content in messages’ off you will no longer see rich emails with images stored on servers in the message.
This behavior, however, does not extend to Spotlight search on OS X Yosemite. If you disable remote content loading and search for a term that pulls a message from Mail, you will indeed see remote stored content as if the toggle was never switched. As Ars points out, disabling remote stored content is a security feature that prevents email-based spammers from accessing personal information including your IP address.
Remote content enabled versus remote content disabled in OS X Mail
While the remote content load setting is turned off by default of OS X Yosemite, users should expect it to extend to Spotlight search, but alas, that’s not the behavior on the latest version of OS X 10.10.1. In the meantime, concerned users with the preference to not load remote content in messages can avoid using Spotlight search or disable Mail & Messages from Spotlight’s source list in the System Preferences app until a software update fixing the behavior is released.
Youur preferences should appear as above if you decide to disable Mail & Messages content from appearing in OS X Yosemite Spotlight search results.