By default, OS X Yosemite's Mail app won't "load remote content" such as the types of images typically requested by marketing emails and spam. You can change that in preferences if you really want to see remote images in your emails — such as the products being advertised by Apple, Best Buy, or other retailers in their mailings — but if you accidentally or deliberately click on spam, those images will load too. Even with "load remote content" left off, however, if any such marketing or spam email shows up as a Spotlight search result, Heisse reports that such remote content will load. So, what's going on and what can you do about it? ITWorld translates:
The potential privacy glitch affects people who have configured the Mac Mail App to turn off the "load remote content in messages" setting, as security experts have long advised. Spammers, stalkers, and online marketers often use remote images as a homing beacon to surreptitiously track people opening e-mail. Because the images are hosted on sites hosted by the e-mail sender, the sender can log the IP address that viewed the message, as well as the times and how often the message was viewed, and the specific e-mail addresses that received the message. Many users prefer to keep their e-mail addresses, IP addresses, and viewing habits private, a goal that's undermined by the viewing of remote images.
When you visit a website, that website gets information about you. That includes your Internet Protocol (IP) address, the type and version of computer operating system and browser you're using, and other technical details. Your IP address can be used to determine your Internet Service Provider (ISP) and the general area where you're located. If you've ever used something like Google Analytics — which most sites, including iMore, use benignly to figure out how many readers come here, from where, and what they're reading the most — then that's the type of information that can be collected.
As described above, email can be turned into a pseudo webpage by requesting server-side images — including tracking pixels — be loaded into them. Instead of attaching an image, which embeds the image in the email, they pull it from a website: http://example.com/image.gif. If "load remote content" is enabled, that image will be pulled as soon as you open the email, and the website will get your IP address and other information just as if you visited the site directly.
The issue here is that even if you have "load remote images" turned off in Mail, Spotlight will still load them. So, if a search you type into Spotlight returns a marketing or spam email message as the Top Hit, it will automatically load those images, and if it returns it as a Mail & Messages hit, and then you click on it, it will load those images.
I typically leave "load remote content" on, so I'm not overly concerned about this. I find it annoying to have to click on the "Load Remote Content" button every time I want to see an Apple or B&H or other product email I've subscribed to. A combination of Gmail, iCloud, and Mail.app anti-spam means I almost never see spam anyway, and I don't click on them when I do. I also delete my spam messages frequently. So, I've also never, in all the years Spotlight search has been available, had a spam mail message return as the first, automatically previewed, result.
My guess is most people are similar, and won't run into this problem either. That said, it is a problem, and some people are really and rightly concerned about online tracking, especially those being stalked. It would absolutely behoove everyone if Spotlight, when providing Mail results, honored the "load remote content" setting in Mail.
Hopefully Apple will implement that as soon as possible. In the meantime, if tracking pixels are a concern, you can disable Mail as a result type in Spotlight. It's less convenient, but that's typically the price we pay for security.
Although Apple has almost certainly been notified about this issue, I've also filed a bug report with Radar, should anyone with access want to dupe it.
Bug report: rdar://19439666
We may earn a commission for purchases using our links. Learn more.
Hell froze over, pigs flew, and Google added Split View to Gmail for iPad
Google's reputation for being awfully slow to adding support for new iOS features is well earned but it's now added support for Split View on iPad. And it only took five years.
'Greyhound' star Tom Hanks isn't a fan of the movie's Apple TV+ debut
Tom Hanks stars in "Greyhound," a movie that should have been hitting cinemas. But COVID-19 put paid to that and Hanks isn't happy he's had to settle for Apple TV+.
Keep your gear charged with this 10000mAh USB-C power bank down to just $9
This power bank features both 18W PD USB-C and Quick Charge 3.0 USB-A ports. It's slim and light and can refill most modern phones at least twice over making it a perfect addition to your daily carry. Use the below coupon to save.
If you have run an Airbnb, you might need one of these smart locks
These smart locks provide both convenience and security for you and your guests at your Airbnb rental. Make managing things easier by assigning codes and app access with the best smart locks around.