OS X Spotlight Flaw Enables Spammers to Access User Data

One of the new features of OS X Yosemite was the new Spotlight.

Spotlight on OS X Yosemite

Spotlight. Everything you ever sought.

The quickest way to find what you have on your Mac just got better. Spotlight brings information intelligently so you can find what you're looking for. It was recreated to open right in the middle of the screen. And it offers richer and more interactive previews of the results. Click on a result to read a document, send an email or make a call.

Because the Germans on the site heise have found (Google Translate) that the new search engine has a flaw linked to privacy.

Mail preferences on OS X Yosemite

One of the security recommendations for those who use Mail (I don't follow here, say) is that the user deselect the option "Load remote content in messages". Such an option, as explained by Mail itself, prevents the loading of content stored on remote servers, including "tracking pixels" that are used by spammers to collect information when a particular person opens an email.

The problem that, even with this option disabled, when doing a search in Spotlight (which includes emails in the search results), the resource simply ignores this and loads the images of the given email as part of the search process. Once loaded, if a particular email has these tracking pixels, spammers they can collect details such as the IP address, OS X version, browser details, etc.

Spotlight settings on OS X Yosemite

For now, the only way to remedy this situation is to deselect the “Mail and Messages” category in the Spotlight System Preferences. Thus, when doing a search in Spotlight, the results of emails and messages will not be more displayed consequently, no remote content loaded.

Let's hope that Apple will fix this in a future update of OS X, perhaps in 10.10.2, which is still in the testing phase.

(via MacRumors)