macOS 'Quick Look' Bug Can Leak Encrypted Data Through Thumbnail Caches

A long-standing bug in macOS's Quick Look feature has the potential to expose sensitive user files like photo thumbnails and the text of documents, even on encrypted drives, according to security researchers.

Details on the Quick Look flaw were shared earlier this month by security researcher Wojciech Regula and over the weekend on security researcher Patrick Wardle's blog (via The Hacker News).

quicklookbug

Image via Wojciech Regula

Quick Look in macOS is a convenient Finder feature that's designed to present a zoomed-in view when you press the space bar on a photo or document that's selected.

To provide this preview functionality, Quick Look creates an unencrypted thumbnail database where thumbnails of files are kept, with the database storing file previews from a Mac's storage and any attached USB drives whenever a folder is opened. These thumbnails, which provide previews of content on an encrypted drive, can be accessed by someone with the technical know how and there's no automatic cache clearing that deletes them. As Regula explains:

It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.

This is an issue that's existed for at least eight years and concerns have been raised about it in the past, but Apple has made no changes in macOS to address it. "The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion," writes Wardle.

As Wardle points out, this information is valuable in law enforcement investigations, but most users are not going to be happy to learn that their Mac records file paths and thumbnails of documents from every storage device that's been attached to it.

For a forensics investigation or surveillance implant, this information could prove invaluable. Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files...all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed). For users, the question is: "Do you really want your Mac recording the file paths and 'previews' thumbnails of the files on any/all USB sticks that you've ever inserted into your Mac?" Me thinks not...

It's worth noting that if the main drive on the Mac is encrypted, the Quick Look cache that's created is too. Wardle says that data "may be safe" on a machine that's powered off, but on a Mac that's running, even if encrypted containers are unmounted, the caching feature can reveal their contents.

"In other words, the increased security encrypted containers were thought to provide, may be completely undermined by QuickLook," writes Wardle.

Wardle recommends that users concerned about unencrypted data storage clear the Quick Look cache manually whenever a container is unmounted, with instructions for this available on Wardle's website. It's also worth checking out Wardle's site for full details on the Quick Look bug.

Top Rated Comments

luvbug Avatar
52 months ago
It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.
Score: 20 Votes (Like | Disagree)
InuNacho Avatar
52 months ago
I’ve known about this for years. I accidently locked a word file and was able to “rescue” it by hitting the space bar.
Great security.
Score: 18 Votes (Like | Disagree)
magicschoolbus Avatar
52 months ago
This is an issue that's existed for at least eight years and concerns have been raised about it ('http://osxdaily.com/2010/07/25/filevault-and-quicklook-leak-some-information-from-encrypted-volumes/') in the past, but Apple has made no changes in macOS to address it. "The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion," writes Wardle.
Apple does not care about the Mac. The hardware and this proves it. You guys should seriously consider naming this site iosrumors.com (that's not a shot at you either.. Apple is all about iOS)
Score: 17 Votes (Like | Disagree)
Acidsplat Avatar
52 months ago
So, you get the prize for first whiner! I guess assigning blame is more important to you than addressing the problem in the first person using readily available information.
Ordinary people wouldn’t know to input a terminal command, or even know that Quick Look is leaking their data.

The bug lies with Apple’s code. How is this the fault of the consumer? The consumer is certainly not the party to blame in this situation.
Score: 12 Votes (Like | Disagree)
Acidsplat Avatar
52 months ago
It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.
You shouldn't have to do this because of a bug in the software left in from literally years ago.
Score: 11 Votes (Like | Disagree)
AL1630 Avatar
52 months ago
Hmm. It seems like these flaws are becoming more common lately. Not sure if that's just me paying more attention or if the amount of flaws is actually increasing.
Score: 8 Votes (Like | Disagree)

Popular Stories

iPhone 14 Pro Purple Front and Back MacRumors Exclusive

iPhone 14 Pro Renders Highlight Multiple Design Changes

Wednesday May 25, 2022 8:56 am PDT by
Leaker Jon Prosser today shared ostensibly accurate renders of the iPhone 14 Pro, providing the most accurate look yet at what the device could look like when it launches later this year. In the latest video on YouTube channel Front Page Tech, Prosser revealed renders of the iPhone 14 Pro made by Apple concept graphic designer Ian Zelbo, highlighting a range of specific design changes...
iPad Pro USB C Feature Coral

Deals: Apple's iPad Pro Reaches Up to $449 Off in Amazon's Latest Sales

Wednesday May 25, 2022 10:09 am PDT by
Amazon is marking down a wide variety of 11-inch and 12.9-inch iPad Pro models this week, with prices starting as low as $749.00 for the 11-inch tablet. You'll find the full list of sales below, all of which can be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep...
apple account card

Wallet App Now Supports Apple Account Cards on iOS 15.5

Wednesday May 25, 2022 5:01 pm PDT by
Apple appears to have recently updated the Wallet app to allow users to add an Apple Account Card, which displays the Apple credit balance associated with an Apple ID. If you receive an App Store or Apple Store gift card, for example, it is added to an Apple Account that was previously visible in the App Store and Apple Store apps. As of today, the Apple Account balance can also be added to...
iphone 13 pro max display bleen

iPhone 14 Max Reportedly Weeks Behind Schedule [Updated]

Thursday May 26, 2022 7:25 am PDT by
The iPhone 14 Max is currently behind schedule by around three weeks, according to Haitong International Securities analyst Jeff Pu. Yesterday, Nikkei Asia reported that at least one iPhone 14 model was three weeks behind schedule due to the impact of lockdowns on Apple's supply chains in China, but it was not clear which iPhone 14 model this related to. Now, Pu has clarified that the model...
iPhone 13 Always On Feature

iPhone 14 Pro Screen Refresh Rate Upgrade Could Allow for Always-On Display

Tuesday May 24, 2022 7:23 am PDT by
Last year's iPhone 13 Pro models were the first of Apple's smartphones to come with 120Hz ProMotion displays, and while the two iPhone 14 Pro models will continue to feature the technology, their screens could well boast expanded refresh rate variability this time round. To bring ProMotion displays to the ‌iPhone 13 Pro models‌, Apple adopted LTPO panel technology with variable refresh...
Apple Tap to Pay iPhone

Apple Stores Rolling Out iPhone-to-iPhone Contactless Payments Starting Today

Wednesday May 25, 2022 6:54 am PDT by
Apple in February unveiled a new "Tap to Pay on iPhone" feature that will allow compatible iPhones to accept payments via Apple Pay, contactless credit and debit cards, and other digital wallets, with no additional hardware required. Apple began testing the feature at its Apple Park Visitor Center earlier this month, and now Bloomberg's Mark Gurman has tweeted that the feature will begin...
apple tv 4k design green

Apple Releases tvOS 15.5.1 for Apple TV HD and Apple TV 4K

Wednesday May 25, 2022 9:42 am PDT by
Apple today released tvOS 15.5.1, a minor update to the tvOS operating system that first launched in September 2021. tvOS 15.5.1 comes about 10 days after the launch of tvOS 15.5. tvOS 15.5.1 can be downloaded over the air on the Apple TV through the Settings app by going to System > Software Update. ‌‌‌‌‌‌Apple TV‌‌‌‌‌‌ owners who have automatic software updates...