Apple Hide My Email bug, possibly related to disclosure vulnerability

zdw1 pts0 comments

Apple Hide My Email bug, possibly related to disclosure vulnerability

Apple Hide My Email bug, possibly related to disclosure vulnerability

July 10 2026

Last week a disclosure vulnerability in Apple’s Hide My Email feature was publicly announced and verified by a news media outlet, though the technical details of the vulnerability were not publicized. The vulnerability is that it’s possible to unhide the real email address of a Hide My Email user. I don’t know whether I’ve accidentally stumbled upon that vulnerability, or perhaps in this case the Hide My Email user just messed up in some way, but I’ve definitely discovered a bizarre and troubling Hide My Email bug in Mail app (on macOS Sequoia 15.7.7).

I received a support email for one of my apps to a published @underpassapp.com address. This happens practically every day. Bizarrely, however, Mail app displayed an alert that I’ve never seen before, “This message was forwarded to you by Hide My Email,” despite the fact that I have previously received many emails from people using Hide My Email.

Clicking the Settings button opens https://setup.icloud.com/private/email?flow=PRIVATE_EMAIL_MANAGE in my default web browser. This URL takes me to my iCloud account, or a sign in page if I’m not signed in to iCloud on the web. The user interface in Mail doesn’t make any sense, because I’m not the person using Hide My Email, which is managed by the email sender’s settings, not mine. I don’t subscribe to iCloud+, have never used Hide My Email, and don’t even have an @icloud.com email address.

When I attempt to reply to the email, I become even more confused. (I redacted identifying information and screenshotted the redacted screenshot to prevent recovery.)

The To: and From: fields both have an @icloud.com email address, but they are two different @icloud.com email addresses! Moreover, both fields are disabled and uneditable. It turns out that the From: field is actually lying; looking at my reply in the Drafts mailbox and in the raw message source file reveals that the From: field has the email address of my Apple Account! This is insane, because my Apple Account email address is not an @underpassapp.com email address, nor is it published anywhere. I keep that email address private, and sending the reply might disclose my Apple Account email address to my customer. Fortunately, I had second thoughts before pressing the Send button. I still haven’t replied to the email, sorry!

Looking at the raw message source of the customer’s email, I found the following header.

X-Icloud-Hme: p=Hide My Email

;f=[redacted2] @icloud.com;r=0

Identifying information has again been redacted, but [redacted1] and [redacted2] are two different @icloud.com usernames. The two redacted usernames are the same as the usernames redacted in my screenshot, so the X-Icloud-Hme: header is obviously where Mail app got the email addresses.

I’ve received support emails before from the [redacted1] @icloud.com email address, though the current bizarre bug has never occurred before. I’ve never before received emails from the [redacted2] @icloud.com email address, but I have seen it quoted in email text.

On [date redacted] , [redacted2] @icloud.com wrote:

Presumably the customer left their real email address in their reply by accident.

I’m left with several troubling questions:

Why I am seeing two different @icloud.com email addresses, one of which appears to be the sender’s unhidden address?

Why are the To: and From: fields in my reply disabled?

Why is my reply not from my @underpassapp.com email address but rather displayed falsely as from the sender’s @icloud.com address and really from my unrelated Apple Account address?

Are any of these issues related to the recently reported Hide My Email vulnerability?

email address icloud hide from apple

Related Articles