Security researchers have disclosed that there is a security flaw in the "hide email address" privacy protection function of Apple's iCloud+, which allows attackers to bypass the protection mechanism and obtain the user's real email address. The vulnerability has existed for more than a year and Apple has yet to fix it.
This feature is supposed to allow users to generate random anonymous email addresses (such as [email protected]) to replace the real email registration service, and all forwarded emails will not expose the real address. However, according to 404 Media, researcher Tyler Murphy and his team discovered and verified this vulnerability: In the test, they used a newly generated hidden email address for testing, and after about five minutes, they successfully detected the real iCloud email address associated with it.
Murphy first reported the issue to Apple in June 2025, and Apple later said it was investigating. In March this year, Apple said it had been "addressed in recent system changes," but Murphy found that the vulnerability still existed and reported it again in May. Apple responded that it is still investigating and plans to fix it in a future security update, but has not yet provided a specific timetable. "We don't know why it hasn't been fixed yet, but we can't wait any longer," Murphy said. "Users using this feature have a right to know that attackers may discover their hidden email addresses."
The risk of this vulnerability is that public "human flesh search" websites can easily associate email addresses with other personal information, and users who rely on "hidden email addresses" to protect their privacy may be at risk. At the same time, Apple has previously announced plans to move the anonymous email domain name of this feature from @icloud.com to @private.icloud.com, which will make it easier for websites and services to identify and block anonymous email addresses generated by "hidden email addresses", further weakening its privacy protection effect.
