Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email
Security Roundup: Apple’s Hide My Email Service Fails to Hide Your Email
安全综述:苹果“隐藏邮件”服务未能保护你的真实邮箱
A politician on the European Parliament’s PEGA Committee—created to investigate spyware abuses, including of the notorious Pegasus malware—was targeted with Pegasus himself, according to new research findings released this week. Meanwhile, top Google security staff warned this week that the pro-competition rule proposals in the EU could make Google Search and Android systems vulnerable to hacking and other abuse. 本周发布的一项最新研究显示,欧洲议会 PEGA 委员会的一名政客遭到了“飞马”(Pegasus)间谍软件的攻击。该委员会旨在调查包括臭名昭著的“飞马”恶意软件在内的间谍软件滥用行为。与此同时,谷歌高层安全人员本周警告称,欧盟提出的促进竞争规则可能会使谷歌搜索和安卓系统更容易受到黑客攻击及其他滥用行为的影响。
A WIRED investigation revealed this week that Meta contractors posed as kids and teens to see how chatbots like Gemini and ChatGPT responded to prompts about high-risk subjects, including suicide, sex and drugs. 《连线》(WIRED)本周的一项调查披露,Meta 的承包商曾伪装成儿童和青少年,以测试 Gemini 和 ChatGPT 等聊天机器人如何回应有关自杀、性及毒品等高风险话题的提示。
And a researcher realized that he could use Anthropic’s Claude Opus 4.7 to break into the website of Front Gate and issue tickets to almost any United States music festival, including Lollapalooza and Bonnaroo. 此外,一名研究人员发现,他可以利用 Anthropic 的 Claude Opus 4.7 模型入侵 Front Gate 网站,并为几乎任何美国音乐节(包括 Lollapalooza 和 Bonnaroo)签发门票。
But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there. 还没完!每周我们都会汇总那些我们未进行深度报道的安全与隐私新闻。点击标题即可阅读全文。祝大家保持安全。
Apple’s Hide My Email Service Fails to Hide Your Email
苹果“隐藏邮件”服务未能保护你的真实邮箱
Back in 2021, Apple launched its Hide My Email tool, which as the name suggests, allows people to sign-up for online services using an email address that isn’t linked directly to them. The privacy feature generates “unique, random email addresses” that will forward incoming messages to a user’s personal email address—reducing the amount of information you need to hand over to companies. 2021 年,苹果推出了“隐藏邮件”(Hide My Email)工具。顾名思义,该工具允许用户在注册在线服务时使用一个与其身份无直接关联的电子邮件地址。这一隐私功能会生成“唯一且随机的电子邮件地址”,并将收到的邮件转发至用户的个人邮箱,从而减少了用户需要向公司提供的个人信息量。
Reporting from 404 Media this week revealed that a vulnerability in the system has made it possible, for at least a year, for people’s real email addresses to be uncovered when they are using Apple’s privacy service. “Apple Hide My Email is leaking email addresses that are supposed to be hidden,” security researcher Tyler Murphy, who discovered the flaw in June 2025, told the publication. “In our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” he said. 404 Media 本周的报道揭露,该系统存在一个漏洞,导致用户在使用苹果这项隐私服务时,其真实邮箱地址在至少一年内都有可能被泄露。2025 年 6 月发现该漏洞的安全研究员泰勒·墨菲(Tyler Murphy)告诉该媒体:“苹果的‘隐藏邮件’功能正在泄露本应被隐藏的邮箱地址。在我们对志愿者的有限测试中,100% 的‘隐藏邮件’地址都存在被利用的风险。”
The exact details of the vulnerability and how it works have not been revealed as the problem hasn’t been fixed. In tests conducted by 404 Media and Murphy, it was possible for a newly created Hide My Email address, which uses the @icloud.com domain, to be linked back to the real email address of its creator. Murphy said he originally reported the problem to Apple last summer and was told it had been “addressed” by March this year. However, when the researcher continued testing the issue, it remained exploitable, with Apple telling Murphy a couple of months ago that it was still investigating the issue. Apple did not respond to requests for comment from the publication. 由于该问题尚未修复,漏洞的具体细节及其运作方式尚未公开。在 404 Media 和墨菲进行的测试中,一个使用 @icloud.com 域名的、新创建的“隐藏邮件”地址,可以被关联回其创建者的真实邮箱地址。墨菲表示,他去年夏天首次向苹果报告了该问题,并被告知已于今年 3 月“解决”。然而,当他继续测试时,发现该漏洞依然存在。苹果在几个月前告诉墨菲,他们仍在调查此事。苹果未回应媒体的置评请求。
Alleged Scattered Spider Member Extradited to Face US Charges
“Scattered Spider”组织成员被引渡至美国受审
A nineteen-year-old has been arrested and extradited to the United States to face charges over their alleged involvement in the notorious Scattered Spider hacking group, the Department of Justice (DoJ) announced this week. Peter Stokes, an Estonian-US dual citizen, was arrested in Finland in April and has been charged with computer intrusion, conspiracy and fraud, linked to the criminal gang. 美国司法部本周宣布,一名 19 岁青年因涉嫌参与臭名昭著的“Scattered Spider”黑客组织而被捕并被引渡至美国受审。彼得·斯托克斯(Peter Stokes)拥有爱沙尼亚和美国双重国籍,他于今年 4 月在芬兰被捕,并被控与该犯罪团伙有关的计算机入侵、共谋及欺诈罪。
It is alleged that Stokes, along with other members of the loose hacking collective, hacked into an unnamed “luxury jewelry retailer” and demanded a $8 million cryptocurrency ransom in May 2025. The company did not pay but still spent $2 million on the incident, according to a DoJ press release. In recent years, the Scattered Spider group, which is largely believed to be composed of young, English-speaking teenagers, has caused havoc around the world by hacking into and disrupting dozens of businesses. The arrest of Stokes follows two British Scattered Spider members, Thalha Jubair and Owen Flowers, recently pleading guilty to hacking Transport for London in 2024 and causing millions in damages. 据称,斯托克斯与其他黑客成员于 2025 年 5 月入侵了一家未具名的“奢侈珠宝零售商”,并索要 800 万美元的加密货币赎金。根据司法部的新闻稿,该公司虽未支付赎金,但仍为处理该事件花费了 200 万美元。近年来,“Scattered Spider”组织(普遍认为由讲英语的年轻青少年组成)通过入侵和破坏数十家企业,在全球范围内造成了严重破坏。在斯托克斯被捕之前,两名英国籍成员塔尔哈·朱拜尔(Thalha Jubair)和欧文·弗劳尔斯(Owen Flowers)近期已认罪,承认在 2024 年入侵伦敦交通局并造成了数百万美元的损失。
India Threatens WhatsApp Over Introduction of Usernames
印度因 WhatsApp 引入用户名功能发出威胁
Following a move by encrypted messaging app Signal last year, WhatsApp has announced it will soon roll out usernames to billions of people. The option means it is possible for people to connect and message each other without having to share phone numbers, increasing privacy protections. However, officials in India, one of WhatsApp’s biggest markets, who have previously tried to unfurl encryption protections on the Meta-owned app, have opposed the introduction of usernames. A letter from the Indian government, seen by Reuters, asked WhatsApp to pause the rollout of usernames in the country. The letter claimed the move could increase fraud and cybercrime, citing concerns around allowing online anonymity. The letter was followed by separate messages to Signal and Telegram about their use of usernames. 继加密通讯应用 Signal 去年采取类似举措后,WhatsApp 宣布即将向全球数十亿用户推出用户名功能。这一选项意味着用户无需分享电话号码即可建立联系并发送消息,从而增强了隐私保护。然而,作为 WhatsApp 最大市场之一的印度,其官员此前曾试图削弱该应用的加密保护,此次他们对引入用户名表示反对。路透社看到的一封印度政府信函要求 WhatsApp 在该国暂停推出用户名功能。信中声称此举可能增加欺诈和网络犯罪,并对允许在线匿名表示担忧。在此之后,印度政府还向 Signal 和 Telegram 发送了关于其用户名使用的相关信函。
License Plate Reader Errors Are Getting Innocent People Stopped by Cops
车牌识别系统出错导致无辜民众被警察拦截
Thousands of automatic license plate reader cameras, known as ALPRs, have appeared across the United States over the last few years. The cameras, which can be deployed by cops, cities, and businesses, photograph passing cars and record details about their movements. As well as license plate numbers, the systems can log the time and location of the photos, make and model of a vehicle, as well as bumper stickers. Billions of images and details of car movements have been captured in vast ALPR databases. 过去几年里,数以千计的自动车牌识别(ALPR)摄像头出现在美国各地。这些由警察、城市和企业部署的摄像头会拍摄过往车辆并记录其行踪细节。除了车牌号码,这些系统还能记录照片的时间和地点、车辆品牌和型号,甚至保险杠贴纸。数十亿张图像和车辆移动细节已被存入庞大的 ALPR 数据库中。
However, an increasing body of evidence shows that when the camera systems make mistakes, innocent people can be detained by law enforcement officials and accused of crimes. A review of court records and media reports, which are likely the tip of the iceberg, by the nonprofit the Institute for Justice this week found at least 24 cases of misidentification over the last eight years. These reportedly include a couple with a baby in their car being detained at gunpoint; a camera misreading an “O” as a “0”, leading to grandparents being detained; and someone being pulled over after their license plate was not removed from a wanted list. The findings add to a growing list of errors from the AI-enabled cameras. 然而,越来越多的证据表明,当这些摄像头系统出错时,无辜民众可能会被执法人员拘留并被指控犯罪。非营利组织“司法研究所”(Institute for Justice)本周对法庭记录和媒体报道进行的一项审查发现,过去八年中至少发生了 24 起误认案件,而这可能只是冰山一角。据报道,这些案例包括一对带着婴儿的夫妇被持枪拘留;摄像头将字母“O”误读为数字“0”,导致祖父母被拘留;以及某人的车牌在从通缉名单中移除后仍被拦截。这些发现进一步增加了人工智能摄像头出错的案例清单。