Monday, June 18, 2018

Quick Look Cache Reveals Sensitive Data From Encrypted Drives

Wojciech Regula:

I found out that Quicklook registers XPC service that is responsible for creating thumbnails database and storing it in /var/folders/…/C/ directory.

It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.

Via Swati Khandelwal:

Patrick Wardle, chief research officer at Digital Security, equally shared the concern, saying that the issue has long been known for at least eight years, “however the fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion.”


In a separate blog post, Wardle demonstrated that macOS behaves same for the password-protected encrypted AFPS containers, eventually exposing even encrypted volumes to potential snooping.

This also affects third-party applications such as EagleFiler that use Quick Look to display images.

Update (2018-06-20): See also: MacRumors, Slashdot, ZDNet.

Update (2018-06-25): Patrick Wardle:

Want to disable Quick Look from caching your sensitive files?

$ qlmanage -r disablecache

Howard Oakley:

I am delighted to offer an update to improve my new tool for managing your QuickLook (or Quick Look) cache, Aquiline Check.

Update (2018-06-26): Howard Oakley:

Here is a brief overview of some of the potentially sensitive information which macOS secretes away in unexpected places.

5 Comments RSS · Twitter

Samuel Herschbein

Is this true if full-disk encryption is enabled? I thought "full-disk" meant just that, which would include the whole /var hierarchy.

One of the references is from 2010 and apparently only the home folder was encrypted. Another reference used encrypted containers, not full-disk. In both these cases I fully expect caches to be visible since they're not part of the encryption.

@Samuel Yes, the issue is that the Quick Look previews will always be on the boot disk (encrypted with its password, if applicable), and this might be different from the encryption where the sensitive files are stored. Browsing files on an encrypted disk should not leak them to another drive.

Samuel Herschbein

To be perfectly clear: if I have a single drive and it has full-disk encryption, I'm not vulnerable, correct?

The macoS users I support either don't use any disk encryption or they use full-disk encryption.

IMHO anyone who uses encrypted disks should be using full-disk encryption on their boot drive. Otherwise the chance of a breach is just too great.

@Samuel Yes, with a single drive it doesn't matter unless you are using an encrypted disk image within the drive.

[…] Quick Look Cache Reveals Sensitive Data From Encrypted Drives, Mojave’s New Security and Privacy Protections Face Usability […]

Leave a Comment