Vulnerability causes emails to be exposed when logging in with an Apple account

Discovered by security researcher Tyler Murphy and published on 404Media on July 1, the bug allows third-party platforms and websites to obtain users' real emails, even when they log in via Hide My Email - a feature that allows creating disposable emails to protect privacy.
Murphy said he sent a warning to Apple a year ago, but the company has not yet fixed it. Therefore, he cooperated with 404Media to test further, the results showed that "all attempts to exploit the error were successful".
"We don't yet know the full scope of the problem. But in real-world tests, 100% of Hide My Email email addresses can be exploited," Murphy said, but declined to describe the vulnerability in detail because of concerns about being exploited.
Murphy is the co-founder of EasyOptOuts, a paid data deletion service based in the US. According to him, Hide My Email's mechanism does not ensure safety, users should not completely trust this feature.
Apple has not yet commented.

Hide My Email was launched in September 2021 with the iOS 15 and iPadOS 15 updates. On the support website, Apple said the feature allows creating a random virtual email address when registering an account with a third-party platform using the quick login function. This virtual email will forward messages to the user's main mailbox, helping to keep the real email address secret and block spam.
According to TechCrunch, Apple is famous for its neat hardware, software and services products, but not all features work as advertised. For example, in 2022, Apple was sued because iPhone Analytics was advertised to stop pulling information from the App Store, Apple Music, Apple TV, Books and Stocks when activated, but in reality it still silently collected unauthorized data.
Similarly, Apple describes the Private Wi-Fi Addresses feature that creates random MAC addresses to hide the device's real MAC address, thereby limiting the ability to track when connected to wifi. However, in 2023, researchers discovered that in some cases, when activated, it still revealed the real MAC address.
According to Gizmodo, in most incidents, Apple often silently fixes the problem through updates instead of speaking out.
Bao Lam compiled