macOS 'Quick Look' Bug Can Leak Encrypted Data Through Thumbnail Caches

by

A long-standing bug in macOS's Quick Look feature has the potential to expose sensitive user files like photo thumbnails and the text of documents, even on encrypted drives, according to security researchers.

Details on the Quick Look flaw were shared earlier this month by security researcher Wojciech Regula and over the weekend on security researcher Patrick Wardle's blog (via The Hacker News).

quicklookbug

Image via Wojciech Regula

Quick Look in macOS is a convenient Finder feature that's designed to present a zoomed-in view when you press the space bar on a photo or document that's selected.

To provide this preview functionality, Quick Look creates an unencrypted thumbnail database where thumbnails of files are kept, with the database storing file previews from a Mac's storage and any attached USB drives whenever a folder is opened. These thumbnails, which provide previews of content on an encrypted drive, can be accessed by someone with the technical know how and there's no automatic cache clearing that deletes them. As Regula explains:

It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.

This is an issue that's existed for at least eight years and concerns have been raised about it in the past, but Apple has made no changes in macOS to address it. "The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion," writes Wardle.

As Wardle points out, this information is valuable in law enforcement investigations, but most users are not going to be happy to learn that their Mac records file paths and thumbnails of documents from every storage device that's been attached to it.

For a forensics investigation or surveillance implant, this information could prove invaluable. Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files...all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed). For users, the question is: "Do you really want your Mac recording the file paths and 'previews' thumbnails of the files on any/all USB sticks that you've ever inserted into your Mac?" Me thinks not...

It's worth noting that if the main drive on the Mac is encrypted, the Quick Look cache that's created is too. Wardle says that data "may be safe" on a machine that's powered off, but on a Mac that's running, even if encrypted containers are unmounted, the caching feature can reveal their contents.

"In other words, the increased security encrypted containers were thought to provide, may be completely undermined by QuickLook," writes Wardle.

Wardle recommends that users concerned about unencrypted data storage clear the Quick Look cache manually whenever a container is unmounted, with instructions for this available on Wardle's website. It's also worth checking out Wardle's site for full details on the Quick Look bug.

Popular Stories

Verizon New

Verizon is Down: iPhones Show 'SOS' Mode Due to Network Outage [Resolved]

Wednesday January 14, 2026 10:18 am PST by
Verizon is experiencing a major outage across the U.S. today, with hundreds of thousands of customers reporting issues with the network on the website Downdetector. There are also complaints across Reddit and other social media platforms. iPhone users and others with Verizon service are generally unable to make phone calls, send text messages, or use data over 5G or LTE due to the outage....
Read Full Article136 comments
Apple Creator Studio

Apple Introduces New 'Creator Studio' Bundle of Apps for $129 Per Year

Tuesday January 13, 2026 6:11 am PST by
Apple today introduced a new Apple Creator Studio bundle that offers access to six creative apps, as well as exclusive AI features and content, as part of a single subscription. In the U.S., pricing is set at $12.99 per month or $129 per year. Here are the six apps included with an Apple Creator Studio subscription:Final Cut Pro on the Mac and iPad Logic Pro on the Mac and iPad Pixelmator...
Read Full Article395 comments
iOS 26

Here's What's New in iOS 26.3 So Far

Monday January 12, 2026 1:15 pm PST by
Apple today seeded the second beta of iOS 26.3, nearly a month after the first beta. So far, the update includes a couple of new features for iPhones. iOS 15.3 through iOS 18.3 were all released in late January over the years, so it is thereby likely that iOS 26.3 will be released towards the end of this month as well. The update is compatible with the iPhone 11 series and newer. Below,...
Read Full Article46 comments
maxresdefault

Apple Confirms Google Gemini Will Power Next-Generation Siri This Year

Monday January 12, 2026 7:38 am PST by
In a statement shared with CNBC today, Apple confirmed that Google Gemini will power the next-generation version of Siri that is slated to launch later this year. Subscribe to the MacRumors YouTube channel for more videos. "After careful evaluation, we determined that Google's technology provides the most capable foundation for Apple Foundation Models and we're excited about the innovative...
Read Full Article271 comments
airpods pro 3 design

Apple Releases New AirPods Pro 3 Firmware Update

Tuesday January 13, 2026 11:29 am PST by
Apple today released a firmware update for the AirPods Pro 3. The latest firmware has a version number of 8B34, up from the previous version 8B30. Apple has a support document for AirPods firmware updates, and it indicates that the 8B34 update contains unspecified "bug fixes and other improvements." No other AirPods models received firmware updates today. How to install AirPods Pro...
Read Full Article52 comments
Low Cost MacBook Feature A18 Pro

Apple Is Expected to Launch These Four MacBooks in 2026

Friday January 9, 2026 8:17 am PST by
2026 could be a bumper year for Apple's Mac lineup, with the company expected to announce as many as four separate MacBook launches. Rumors suggest Apple will court both ends of the consumer spectrum, with more affordable options for students and feature-rich premium lines for users that seek the highest specifications from a laptop. Subscribe to the MacRumors YouTube channel for more videos. ...
Read Full Article125 comments
fcp pcp iwork creator studio

Some Apple Apps Will No Longer Receive Every New Feature Without a Subscription

Tuesday January 13, 2026 10:50 am PST by
If you are not interested in subscribing to the new Apple Creator Studio bundle introduced today, you will officially start to miss out on some new features. Apple said some "exciting new intelligent features and premium content" in Pixelmator Pro, Keynote, Numbers, Pages, and Freeform will only be accessible with a Creator Studio subscription. In the U.S., a subscription costs $12.99 per...
Read Full Article493 comments
maxresdefault

Google Gemini-Powered Siri Will Reportedly Have These 7 New Features

Tuesday January 13, 2026 7:52 pm PST by
Apple and Google this week announced that Gemini will help power a more personalized Siri, and The Information has provided more details. Subscribe to the MacRumors YouTube channel for more videos. As soon as this spring, the report said the revamped version of Siri will be able to… Answer more factual/world knowledge questions in a conversational manner Tell more stories Provide...
Read Full Article218 comments
iOS 18 Siri Personal Context

Elon Musk Reacts to Apple and Google Teaming on Gemini-Powered Siri

Monday January 12, 2026 11:38 am PST by
Elon Musk today expressed concern about Apple and Google partnering on a more personalized version of Siri powered by Google's generative AI platform Gemini. "This seems like an unreasonable concentration of power for Google, given that [they] also have Android and Chrome," wrote Musk, in a post on X. Musk serves as CEO of xAI, the company behind Gemini competitor Grok. It is unlikely...
Read Full Article239 comments
iPhone Top Left Hole Punch Face ID Feature Purple

10 Reasons to Wait for This Year's iPhone 18 Pro

Thursday January 8, 2026 2:56 am PST by
Apple's iPhone development roadmap runs several years into the future and the company is continually working with suppliers on several successive iPhone models at the same time, which is why we often get rumored features months ahead of launch. The iPhone 18 series is no different, and we already have a good idea of what to expect for the iPhone 18 Pro and iPhone 18 Pro Max. One thing worth...
Read Full Article75 comments

Top Rated Comments

luvbug Avatar
luvbug
99 months ago
It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.
Score: 20 Votes (Like | Disagree)
InuNacho Avatar
InuNacho
99 months ago
I’ve known about this for years. I accidently locked a word file and was able to “rescue” it by hitting the space bar.
Great security.
Score: 18 Votes (Like | Disagree)
magicschoolbus Avatar
magicschoolbus
99 months ago
This is an issue that's existed for at least eight years and concerns have been raised about it ('http://osxdaily.com/2010/07/25/filevault-and-quicklook-leak-some-information-from-encrypted-volumes/') in the past, but Apple has made no changes in macOS to address it. "The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion," writes Wardle.
Apple does not care about the Mac. The hardware and this proves it. You guys should seriously consider naming this site iosrumors.com (that's not a shot at you either.. Apple is all about iOS)
Score: 17 Votes (Like | Disagree)
Acidsplat Avatar
Acidsplat
99 months ago
So, you get the prize for first whiner! I guess assigning blame is more important to you than addressing the problem in the first person using readily available information.
Ordinary people wouldn’t know to input a terminal command, or even know that Quick Look is leaking their data.

The bug lies with Apple’s code. How is this the fault of the consumer? The consumer is certainly not the party to blame in this situation.
Score: 12 Votes (Like | Disagree)
Acidsplat Avatar
Acidsplat
99 months ago
It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.
You shouldn't have to do this because of a bug in the software left in from literally years ago.
Score: 11 Votes (Like | Disagree)
AL1630 Avatar
AL1630
99 months ago
Hmm. It seems like these flaws are becoming more common lately. Not sure if that's just me paying more attention or if the amount of flaws is actually increasing.
Score: 8 Votes (Like | Disagree)
Read All Comments