As someone who doesn't rely on this feature, I'd love to know now as well, but perhaps the etiquette in public would be to align ourselves with:
> we will not discuss or disclose the details of the exploits until they're fixed.
But if there's a public forum where the cat's already out of the bag, then game on. Perhaps this:
https://www.reddit.com/r/apple/comments/1ukilw1/apple_hide_m...
...which makes it seem like perhaps the attack surface is limited to scenarios involving a Yahoo/Sonic address (assuming that Apple only sends X-Sonic-* headers when talking to those providers that want to see it), which might be a small percentage of users.
[deleted]