← Back to context

Comment by alexpc201

5 hours ago

I guess the vulnerability should work as follows (I haven't tried it), you send an email with a very large attachment to a "hide my email" address, the server that receives it (private.icloud.com) forwards it to the email server registered in iCloud which, being the very large attachment, sends a response email (from the real address) with the rejected email message. It's the first thing I would try.

Yeah it’s a good guess. I was also thinking there might be some header leaks. Or possibly if you return server busy on the first attempt or something like this, some sort of edge case the developers overlooked.

Apple rewrites the From address of before forwarding so that replies go back through its SMTP servers. Those SMTP servers should rewrite the reply not to leak information.