Unpaywalled. Ironic they want your email on an article about an email vulnerability.
Privacy
Welcome! This is a community for all those who are interested in protecting their privacy.
Rules
PS: Don't be a smartass and try to game the system, we'll know if you're breaking the rules when we see it!
- Be civil and no prejudice
- Don't promote big-tech software
- No apathy and defeatism for privacy (i.e. "They already have my data, why bother?")
- No reposting of news that was already posted
- No crypto, blockchain, NFTs
- No Xitter links (if absolutely necessary, use xcancel)
Related communities:
Some of these are only vaguely related, but great communities.
- !opensource@programming.dev
- !selfhosting@slrpnk.net / !selfhosted@lemmy.world
- !piracy@lemmy.dbzer0.com
- !drm@lemmy.dbzer0.com
I hadn't heard about this feature before and was curious how it worked. Basically its creating a random email alias for your mailbox that you can manage separately from your main address, so you can turn it off if whatever site you gave it to starts getting spammy. Use a password manager and the fact your account email is random shouldn't matter much when logging into a website I guess.
It's a common feature. Mozilla, addy.io, SimpleLogin, etc. all have it. However Apple is special in that they use the same domain as millions of other genuine users, so sites can't really effectively block you from using it, as is the case with just about every other email aliasing service. Unfortunately they're also abandoning that feature.
The problem that I didn’t think about until I had used this for a bunch of websites is that if you ever wanna leave the Apple ecosystem you’re gonna be in for a real headache
Same with Proton. Went balls deep in their aliases only to realize later I was trapped when the price went up the following year.
You keep your SimpleLogin aliases even if you stop paying.
I belive that's only if you have simple login. If you are using say proton unlimited, no, you don't keep them.
Wait is this true? I have unlimited and am planning on canceling. I’ve made my aliases through the included SimpleLogin subscription. Do I keep my aliases if the sub ends?
If you created them through simple login my understanding is you are fine
They all forward to the main address, so it’s no different than leaving any other domain.
They don’t delete your private aliases they just prevent creation of new ones, and the @icloud.com email is otherwise free.
If I leave apple, all those accounts are signed up with icloud addresses, which I’d no longer have access to
That’s no different than if you left any other provider though, unless I’m missing something?
The difference to me is that if I’m locked into using one particular email provider because I don’t feel like going through the hassle of updating all my accounts, it’s a low inconvenience, since most email providers are free/relatively cheap. But if I’m locked into the Apple ecosystem for the same reason, it’s a much bigger inconvenience, given the high cost of their hardware and privacy/security concerns (which some email providers also have, but that’s an issue in both cases so it’s moot)
There are several services that offer this to both free and paying users. As far as I know, though, none of them have a vulnerability as bad as this
Yes, a password manager will help to generate account logins and track them easily for you. But also if your email provider supports it, set your username email address with a +prefix specific to the website/service so you make the account unique, have traceability and isolate your risk if your email or account is sold or leaked. E.g. name+website@example.com
Not every website or service accepts email addresses with plus sign prefixes but this is handy for most.
That’s pretty shitty
tl;dr?
No detail given outside of it was disclosed to Apple a year ago, and - despite repeated gentle, respectful prodding - the problem still hasn't been fixed, so now the people who found it are revealing to the public that it exists, and the website reporter says they confirmed it. Coincidentally(?), Apple recently said they're going to change the way spoofed emails work - of course, the change will make it obvious it's a spoofed address so it'll be easy to reject them.
What was disclosed? What is the vulnerability?
What was disclosed?
The fact the is a vulnerability/exploit to get the true email address exists. Has now been publicly disclosed so people know it exists.
What is the vulnerability?
They aren't going to disclose that publicly.