Ashkan Soltani Overlooked in last week’s revelation that the National Security Agency (NSA) is harvesting hundreds of millions of e-mail address books around the world was this surprising factoid: Apple makes this mass collection easier because the Address Book app that by default manages Mac contacts doesn’t use HTTPS encryption when syncing with Gmail accounts.

As a result, addresses that automatically travel between Macs and Google servers are sent as plain text, independent privacy researcher Ashkan Soltani wrote in The Washington Post last Monday.

He provided the above screenshot demonstrating that Address Book contents appear in the clear to anyone who has the ability to monitor traffic over a Wi-Fi network or other connection. His observation came 15 months after another Mac user also warned that the Mac app offered no way to enable HTTPS when syncing e-mail address lists with Gmail. “It appears that it’s an Apple issue,” Soltani told Ars, referring to the inability to enable HTTPS when Apple’s Address Book is updated to a user’s Gmail account. “Their other products support Gmail via HTTPS, so I suspect it would be a three-line fix in the contacts to alleviate this problem.”     

Leave a Reply