Encrypted Emails on macOS Found Stored in Unprotected Way

Apple is investigating an issue raised by a Mac specialist discovered to be storing emails that are supposed to be S/MIME-encrypted as readable files.

A database on Apple’s macOS computers is storing emails that are supposed to be protected with encryption as readable files, a problem of which the company has been aware for months and still has yet to solve, according to a researcher.

Apple IT specialist Bob Gendler discovered the problem while he was investigating how macOS and Siri suggest contacts and information to users. He shared his experience in a blog post on Medium, a site that aggregates news and content on various interest topics.

Gendler’s investigation explored a process called suggestd, which is run by the system level LaunchAgent com.apple.suggestd, and the Suggestions folder in the user-level Library folder, he detailed in his post.

He found that the folder contained multiple files, including “some potentially important database files (.db files)” with information from Apple Mail and other Apple applications that help macOS and Siri to improve how they suggest information to users, he said.

Gendler discovered something curious in some of those .db files. “The main thing I discovered was that the snippets.db database file in the Suggestions folder stored my emails,” he wrote. “And on top of that, I found that it stored my S/MIME encrypted emails completely UNENCRYPTED.”

Further, he discovered that even with Siri disabled, the OS still collects and stores data for Siri, in effect, storing encrypted emails without encryption in a database. This defeats “the purpose of utilizing and sending an encrypted email,” Gendler wrote.

Typically, emails encrypted with S/MIME do so with a recipient’s public key, with a corresponding private key—also in the hands of the recipient–required to decrypt the messages, he explained.

“If the private key is unavailable or removed, the message should not be readable, by anything,” Gendler wrote. “Unless the private key is compromised, you can be confident that only your intended recipient will be able to access the sensitive data in your email.”

Gendler informed Apple on July 29 of the problem, which he discovered occurring on macOS Mojave 10.14 and the beta of macOS Catalina 10.15. Over the course of the more than three months since then, Apple has acknowledged that they received his information and said the company is investigating the issue, he said.

Apple also has released a number of security-related and other updates to several versions of the macOS in the meantime. Still, the company has not verified that the issue has been resolved, Gendler said.

Gendler offered several workarounds in his post for users to fix the problem on their own. And, to be entirely fair, the problem likely only affects a select number of users, according to a separate report about the issue.

To be affected, a person would have to be using macOS and Apple Mail, as well as be using Apple Mail to send encrypted emails without using FileVault to encrypt the entire system.

Moreover, someone would have to know where to look in Apple’s system files for the information. Anyone who wants to exploit the issue also would have to know specifically where the files were stored to do so, according to the report.

Still, the issue still raises questions about the security of the macOS platform, particularly when Apple has always promoted itself as a company that prioritizes product security and the protection of its customer data, Gendler said.

“For a company that prides itself on security and privacy, the lack of attention to detail on an issue like this completely and totally surprises me,” he wrote. “It brings up the question of what else is tracked and potentially improperly stored without you realizing it.”

What are the top risks to modern enterprises in the peak era of data breaches? Find out: Join breach expert Chip Witt from SpyCloud and Threatpost senior editor Tara Seals, in our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.


Suggested articles