How-To

A security oversight in Mail.app, or, a hidden bcc: field

buraglio | 49 | |

Recently I was poking around Mail.app, setting up my new machine. I like to keep redundant copies of everything, email being no exception. I have backups of all of my email dating back to 1998, for the most part. It has come in handy from time to time and I like it for reference reasons. It’s a small amount of actual data as far as space goes, and it’s easy to do. I remembered the days of using mutt for email (which really weren’t that long ago for me), and really liked the idea of setting a bcc of a separate address, not necessarily myself, but an email address inside of my administrative control, for CYA types of archiving. Upon looking, I saw no way to do this within the default apple Mail.app.

Doing a bit of google searching, I found that this is pretty easily doable with a default write command. OK, awesome. This is good news. So I applied it:
(Open Terminal)
defaults write com.apple.mail UserHeaders ‘{“Bcc” = “[email protected]”; }’ 

Done. Great. So, lets test it. Send email and check bcc’d address.  Email is there.  Strange, however, the bcc field doesn’t show up, or show anything at all.  That’s right, there is absolutely no indication that this email is being bcc’d to another address.
This isn’t really a problem for me, since I know that I set it up.  What it does mean, though, is that this could be applied to an unsuspecting user account, with absolutely no authentication necessary, and have every outgoing message silently sent to a harvesting account.  There is no easy way to check for this that I have found save for using terminal:

[buraglio@dalek:~ ] defaults read com.apple.mail UserHeaders                                   
{
    Bcc = “[email protected]”;
}

OK, at least there is a way to tell.  Using the command defaults read com.apple.mail UserHeaders from terminal will show the info, but the fact that it’s doable in such an obtuse way with no indication that mail is being bcc’d is a bit scary.
There is a preference pane that allows for tweaking of some of these “features”, it’s open source available here, called BlackTree Secrets.

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

Recommended for You

2 thoughts on “A security oversight in Mail.app, or, a hidden bcc: field

  2. Anita · Edit

    It’s good to know that you are always backing up your emails and other data. That’s a good practice which I also always do. I don’t use Mac, but I’ve heard the same problems from some users. Anyway, it’s good that you were able to figure it out.

    email encryption software

Comments are closed.