macOS ‘Quick Look’ Cache Bug Exposes Users’ Encrypted Data

A decade-old bug in macOS can expose the contents of a user’s files – including document text and photo thumbnails – even if the drive is encrypted.

Image via Wojciech Regula

A pair of security experts, Patrick Wardle and Wojciech Regula, explained on their respective blogs how the flaw came out of a simple, seemingly innocuous OS X/macOS function: Quick Look.

The Quick Look feature generates previews that are then stored on unencrypted drives, regardless of the original location of the file. This means that when Quick Look is triggered, the feature generates a preview of each file, even if from an encrypted drive, and then stores it in a non-encrypted location.

The preview partially exposes the content of the file and can be then accessed by malicious actors to read this information, researches have shown. Users using encrypted containers to safeguard files from intrusive eyes may be unaware that they might be leaking information via the thumbnail cache or via the Quick Look functionality.

“[This] means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path,” explains Regula. “They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.”

Wardle explains that the bug is an issue for anyone using encrypted volumes. If a laptop is stolen or seized by law enforcement, but unmounted and considered safe, the Quick Look cache can still reveal the contents of files, if the thumbnail is large enough.

“Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files … all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed),” says Patrick Wardle. “For users, the question is: Do you really want your Mac recording the file paths and ‘previews’ thumbnails of the files on any/all USB sticks that you’ve ever inserted into your Mac? Me thinks not.”

“If you open a folder with files residing on an external drive, thumbnails will be created on the boot drive depending on the file type and the installed Quick Look plugins,” Wardle adds. “The previews, metadata and file paths are stored in SQLite database files deep inside the var folder. The path to this folder contains arbitrary folder names. With the proper commands, the preview pics can be extracted from the database.”

Currently, Mac owners can manually clear the Quick Look cache using the “qlmanage” command. In the latest version of MacOS High Sierra, simply navigate to Launcher > Other > Terminal and type “qlmanage -r cache” at the prompt without the quotes. After that, reboot the Mac and the thumbnails should be gone.