A security researcher has disclosed a privacy flaw in Apple's Hide My Email feature that makes it possible to uncover the actual email address tied to an Apple account. Tests conducted by researcher Tyler Murphy found that 100% of generated addresses could be exploited to reveal the underlying real email.
Murphy reported the issue to Apple more than a year ago, yet the company has not released a fix, according to the researcher. He has now gone public with the vulnerability, stating that users deserve to know the risk. The flaw was first reported in June 2025 per 404 Media.
The bug affects a core privacy tool that lets users create unique, disposable email addresses to mask their real inboxes when signing up for services. If exploited, an attacker could unmask the permanent email associated with an Apple ID, potentially enabling targeted phishing or account takeovers.
No evidence suggests the flaw has been actively exploited in the wild, but the long remediation timeline raises concerns about Apple's vulnerability handling. Users who rely heavily on Hide My Email are most exposed until a patch arrives.
The researcher urged Apple to prioritize the fix, warning that continued inaction undermines trust in the company's privacy promises. Apple has not publicly commented on the report.