OS X Yosemite
Mac OS X Yosemite was released last week as a free upgrade. Apple

A security researcher claims that Apple's latest desktop software secretly and silently uploads unsaved documents and email addresses to the company's servers without a user's knowledge.

According to Berlin-based hacker and security researcher Jeffrey Paul, changes made in Mac OS X Yosemite causes sensitive and private data to be automatically uploaded to Apple's servers.

Paul says that Apple changed the way in which Mac OS stores unsaved documents to enable Yosemite's new feature, "Continuity".

In previous versions of Mac OS X, unsaved documents were stored on a user's computer in a hidden "Saved Application State" folder, and were automatically re-opened when you relaunched the app.

In Yosemite, a user's unsaved documents and emails are sent to their iCloud Drive to allow them to continue working where they left off using iOS 8-enabled iPhones and iPads.

However, Paul discovered that documents he had created before installing Yosemite had also been uploaded to Apple's servers: an action he claims was done without his knowledge or permission.

"Apple has taken local files on my computer not stored in iCloud and silently and without my permission uploaded them to their servers – across all applications, Apple and otherwise," Paul said.

According to the researcher, this is the sequence of what happened:

  • Open text editor, create some new documents. Store PII [personally identifiable information], passwords, seed values, phone call notes, love letters, etc. in them.
  • Quit text editor.
  • Reopen text editor several times over the course of a year, add more notes. Previous notes remain, safely in ~/Library/Saved Application State/ on my local, encrypted computer.
  • Upgrade to Yosemite
  • Notice that all of my locally-stored, "unsaved" documents open in my text editor have now been uploaded in full to a partner in NSA's PRISM program.

Paul says this happens for all applications that used the "saved application state" directory.

As well as uploading documents, Paul claims Yosemite synchronises email addresses of people you correspond with to their recent addresses service, even if you are not using an iCloud email account.

"This means that names and email addresses that are not in iCloud contacts, not synchronized to your device, and only available in an IMAP-accessed inbox are now being sent to Apple, silently," Paul says.

The security researcher, speaking to CSO Australia, also believes that while the Apple may claim it needs to upload such content to its servers to facilitate Continuity, this is simply not the case:

"Continuity, their cross-device open file syncing feature currently *requires* Bluetooth. It is an actual design limitation that it only works over a short range. There's no reason for those files to leave the room, yet they make a round-trip to Apple's servers."

Disabling Continuity

If you do not want files to be automatically sent to Apple's iCloud servers, turn the feature off using the following method:

  • Click on the Apple icon (top-left of your screen),
  • Select System Preferences,
  • Click on iCloud, and
  • Deselect the "Documents & Data" checkbox.

You can continue to upload and download documents to iCloud using Apple's iWork for iCloud apps. But your edited and unsaved documents will no longer be saved to iCloud, and you will lose automatic access to them on iOS 8 devices.

IBTimes UK has contacted Apple for a comment about these claims but has not received a response at the time of writing.

Autosaving documents to iCloud is not new feature for Apple's operating system, as it was introduced in previous versions of Mac OS X. However, it was not clear that Apple silently uploads all previous documents a user works on to the iCloud servers too.

However, it was not clear that Apple silently uploads all previous documents a user has worked on to the iCloud servers too.

This is just the latest security issue to hit Apple's iCloud system, with the service also coming under fire following the online publication of explicit celebrity images over the last two months.

To try and stem the tide of negative comments about its security and privacy credentials, Apple published a dedicated website about the issue with chief executive Tim Cook saying: "Security and privacy are fundamental to the design of all our hardware, software, and services, including iCloud and new services like Apple Pay."

Apple's privacy website says that all users' stored on Apple's iCloud is encrypted, as are connections made to Apple's servers, and that this data is not given to third-parties. It also says that the company, nor anyone else, cannot access data on devices using iOS 8 if the device is protected by a passcode.

The company has previously denied that it had any knowledge of Prism – the US National Security's Agency's programme to mine IT companies' servers for information – before it was revealed by Edward Snowden, or that it gives governments access to its servers.