Thursday, October 25, 2018

Mojave Fixes QuickLook Cache Vulnerability With a DataVault

Howard Oakley:

I’m delighted to report that Apple has responded to this issue in macOS 10.14 Mojave, and made the QuickLook cache altogether inaccessible, although I wait for news from Wojciech and/or Patrick that they’ve managed to wheedle their way around the new defences! So you can now trash those two apps, which have also been deprived of any access to the QuickLook cache.

What has Apple done? It has locked the QuickLook cache folder away from apps using sandboxing.


“/var/folders/t9/[long ID]/C/” is a DataVault, which is a new type of privacy container that Apple introduced sometime around 10.13.4. These files/folders are identified by the “UF_DATAVAULT” file flag. These are implemented via SIP (not technically sandboxing, but the same gist). Applications need an entitlement to make or access specific data vaults, or even to stat() a DataVault folder.

These devices are worth some deeper investigation. Apple doesn’t (and apparently has no plans to) issue these entitlements to third-parties. Consider the implications of that – Apple is creating a platform where only data created in Apple applications gets the highest level of security.

Also consider that you (the user) can’t see what’s in these DataVaults without turning off SIP. It’s hard to tell what Apple is keeping in these, but some of them are a bit alarming.

It seems like this fix can still leak private data. If you use Quick Look to view files on an encrypted volume, they could be cached in the DataVault on the boot volume. They could then be exposed by turning off SIP, which only requires the password to the Mac, not the password to the encrypted volume.

Note that DataVaults are not accessible to the user or regular apps, even if you give them Full Disk Access. So their contents are not backed up and can’t be cloned.

Howard Oakley:

macOS Mojave is Apple’s most complex Mac operating system in terms of the controls which it places over access to files and folders. If you still think that this is all done by regular POSIX permissions, you may find this article illuminating, if not downright scary.

Previously: Quick Look Cache Reveals Sensitive Data From Encrypted Drives, Mojave’s New Security and Privacy Protections Face Usability Challenges.

Update (2018-11-05): My guess is that Core Spotlight, whose index is stored in the user’s home folder (and not in a data vault), may also leak private data.

3 Comments RSS · Twitter

I don't understand the rationale for Quicklook to cache anything now - in the days of slow hard drives, perhaps, but on any reasonably new (or reasonably performant old) machine with an SSD, loading times for icon previews are negligible. I disabled Quicklook caching, and apart from not experiencing any real slowdown in window draws, reaped the benefit of no longer getting instances where the Quicklook cache refused to update when an image was altered, rotated etc.

Your Mac is better, in every experiential way, without Quicklook cache.

I will pass along that tip to my Mac using family/friends/clients. Thanks!

[…] There are also software bottlenecks even on an SSD. Some customers have reported Mail on Mojave taking over a minute to launch, seemingly related to FSEvents monitoring a DataVault. […]

Leave a Comment