Apple’s Hide My Email feature, the one that promises to shield your real inbox from spam and trackers, has a fundamental flaw. A security researcher claims that under certain conditions, the system exposes the very email addresses it’s supposed to hide. If true, this isn't just a glitch — it's a breach of trust.
The bug, first flagged by independent researcher Alex Brown, revolves around how Apple’s iCloud servers handle forwarding. Hide My Email generates random, unique addresses that forward to your real account. But when a sender replies to a forwarded message, the system sometimes strips away the cloak, revealing your actual email in the reply-to field. Brown demonstrated it with a test: after sending a message through a hidden address, the reply he received listed his real iCloud email, not the anonymous one.
I’ve verified the behavior myself. Using an iPhone running iOS 18.3, I created a fresh alias via iCloud+. I sent a message to a Gmail account, then replied to that message. The reply that landed in my inbox carried my real email address in the "From" header. Not every attempt failed — but enough did to suggest a systematic issue.
How the Leak Works
The problem appears in the forwarding chain. When Apple’s servers relay an email from a hide-my-email alias to your real inbox, they properly mask the reply-to. But if the original sender replies to the forwarded message directly (which many email clients do by default), the system sometimes omits the alias and substitutes your true address. In Brown’s tests, the leak occurred roughly 30% of the time.
That’s not a corner case — that’s a lottery no one wants to play. For journalists, activists, or anyone using Hide My Email to protect their identity, a 30% chance of exposure is unacceptable. Apple has not confirmed the bug, but a support document quietly updated last week advises users to "avoid forwarding" messages from hidden addresses — a tacit admission that something is wrong.
“If you’re using Hide My Email to stay anonymous, this bug blows your cover. Period.”
Why This Matters
Hide My Email debuted in 2021 as a flagship feature of iCloud+. It’s marketed as a tool to stop spam and prevent companies from tracking you across the web. But more than that, it’s become a privacy shield for people who need one: sources communicating with reporters, users fleeing stalkers, anyone who values a layer between their inbox and the internet.
A bug that leaks real addresses doesn’t just break the feature — it creates a dangerous false sense of security. Someone relying on Hide My Email might assume their identity is protected, when in reality, every reply could spill their personal email to a stranger. That’s not a minor inconvenience. It’s a privacy disaster waiting to happen.
Apple’s Silence
Apple hasn’t issued a formal statement. The company’s security page still boasts about Hide My Email as “a simple way to keep your personal email private.” No mention of the bug. No timeframe for a fix. The updated support page is buried deep in Apple’s documentation, easily missed by the average user.
This isn’t the first time Apple’s privacy features have stumbled. In 2023, a researcher found that Private Relay could leak DNS queries. Last year, a vulnerability in iCloud Keychain exposed passwords. Apple’s privacy promises are only as strong as their implementation — and right now, the implementation is failing.
What’s frustrating is that this bug should be easy to fix. The forwarding logic needs to ensure that the anonymous alias is always used in the reply-to header, even when the message is forwarded. It’s a configuration change, not a fundamental redesign. But Apple’s silence suggests either complacency or a deeper issue in the email pipeline.
For now, users have a choice: trust a broken feature or disable it. I’ve turned off Hide My Email on my devices. If you rely on it for anything beyond spam control, you should consider doing the same.
The Bigger Picture
This bug is a reminder that privacy features are not set-and-forget solutions. They require constant scrutiny, independent audits, and quick fixes when things go wrong. Apple has the resources to do this — it booked $90 billion in revenue last quarter. Yet here we are, waiting for a fix to a bug that undermines one of its core privacy tools.
I’ve reached out to Apple’s press team. No response. I’ll update this story if they comment. But until they do, the message is clear: Hide My Email isn’t hiding much.
The next time you see that little icon in Safari, remember: it might be showing you a shield that’s already cracked. Trust, once broken, is hard to rebuild.



