I found a leak, which I’d like to share with you so that you don’t fall for it.
You might have heard of Apple’s “Hide My Email” service. You generate a random email address, and Apple forwards it all to your real email address.
But here’s the special thing: You can respond to the emails you get, and they will be routed back through Apple, and look like they came from the throwaway address.
But there’s a catch: Some email providers, like ProtonMail, will notice that the email was not sent to your address. So, when you send a response, ProtonMail will forcefully add a “Reply-To” with the real email address, thus leaking it.
What can you do about this?
For now, all you can do is stop using ProtonMail together with “Hide My Email”. Try another provider and check if it leaks the email address with a “Reply-To” when sending a response.
What can Apple do?
Apple could check for “Reply-To” headers and strip them if they leak the original address, or strip them altogether.
What can ProtonMail do?
ProtonMail could stop forcefully adding a “Reply-To” address. Ironically, the privacy-focused provider is really doing something that’s bad for your privacy, and it doesn’t even tell you about it. You can even go to your “Sent” folder, and check the email. The fact that a “Reply-To” was added without permission is completely invisible.
Dear ProtonMail: Please don’t do this, especially invisibly.
What about responsible disclosure?
Since this is nothing that can be actively exploited by anyone, and instead requires educating the users (until Apple/ProtonMail fixes this), I thought it’s best to warn people, so they don’t leak their email address.
I will, however, inform Apple and ProtonMail. I have now informed Apple and ProtonMail with a link to this article, right after posting it. I received an automated ACK from Apple already.
Which providers are affected?
So far, ProtonMail was the only one I saw doing this “reply-to” thing, which is why I am focusing on this provider. But there are probably others, too. Did you find your provider also leaks your address? Please let us know in the comments!
Try different email providers as forwarding address, send yourself a response, check if “Reply-To” is added and leaking your address (you have to check this on the other account which received the response). If it does leak the address, try another provider. If it doesn’t, you’re good to go.
I run this blog in my free time, if it helped you out, consider donating a coffee. (:
I made a video version now, demonstrating the leak!