← Back to context

Comment by jijijijij

9 hours ago

I think they are hinting at the ad hoc "use hidemyemail" feature within e.g. the mail client.

I don't know what I am doing, but from a quick test, the mail header is at least disclosing the internal recipient (mail@host.com) "translation address" (as mail_at_host_com_12345abc_12345abc@icloud.com) and an alias creation date. But the latter seems to be a unix timestamp related to the real address alias creation time and is identical between an hidemyemail mail and a normal one, so there may be already a possible information leak for correlation. Side note, it also seems like the sending hidemyemail server contains the unsuspicious name "junk_forwarder". Lol.

Disclosing an address as alias and particularly as throwaway alias (through the translation address and server) already seems kinda counterproductive to begin with, but I would bet you can use this information somehow to get the sender "translation address". Either by some API interaction, or by messing with the mail header scrubbing of the translation service somehow. A server named "junk_forwarder" may be a little more lenient about what to accept or not.

Edit: Can confirm the Reddit comment linked. You simply send an email to the HME address, reply from Apple mail client, and then the real mail address gets disclosed. Mind you not even hidden. It's shown as sending from the HME alias in mail, but I received the mail with the real address as sender......... Jesus fucking christ, Apple. Did you even test this a little?

> You send an email to the HME address, reply, and then the real mail gets disclosed in the mail source.

Does the initial sender matter? Like if it’s the HME address that sends first and receives the reply? I have around 180 of these addresses.

  • > then the real mail gets disclosed in the mail source.

    It's not just in the source, I totally overlooked the fact the real email address is shown as sender. Lol.

    > Does the initial sender matter? Like if it’s the HME address that sends first and receives the reply? I have around 180 of these addresses.

    Appears so. Here is exactly what I did:

    1. Created the HME through mail, sending to other email service address (OMA). (This disclosed the information in my original comment.)

    2. Did some reply ping pong. (No additional disclosure.)

    3. Send a new email from OMA to above HME.

    4. Replied from iOS mail client (UI showing usage of HME alias. Yes, I verified this multiple times not to make a fool of myself.)

    5. Received at OMA, the real address is disclosed.

    6. On the iOS client side, the mail shows up as sent from the real mail address, too.

    Not sure if 1. for HME creation is required, you can likely skip straight to 3. for any HME address.

    Funny enough, I observed 6. in the wild before, but was kinda hoping that's an artifact of forwarding a copy of the mail to the thread. I tested this some, but not this particular ping-pong. So yeah... I now gonna check where I evidently leaked my real mail address already...

    • Did #1 on macOS Mail.app, but #4 on iOS Mail client like you.

      #5., real address not disclosed at OMA for me.

      (now that I see the reddit thread) is this potentially Yahoo/Sonic-only?