{"id":21852,"date":"2018-06-18T15:00:30","date_gmt":"2018-06-18T19:00:30","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=21852"},"modified":"2018-06-26T11:03:00","modified_gmt":"2018-06-26T15:03:00","slug":"quick-look-cache-reveals-sensitive-data-from-encrypted-drives","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2018\/06\/18\/quick-look-cache-reveals-sensitive-data-from-encrypted-drives\/","title":{"rendered":"Quick Look Cache Reveals Sensitive Data From Encrypted Drives"},"content":{"rendered":"

Wojciech Regula<\/a>:<\/p>\n

I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for creating thumbnails database and storing it in \/var\/folders\/…\/C\/com.apple.QuickLook.thumbnailcache\/<\/tt> directory.<\/p>

It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt\/VeraCrypt container.<\/p><\/blockquote>

Via Swati Khandelwal<\/a>:<\/p>

Patrick Wardle, chief research officer at Digital Security, equally shared the concern, saying that the issue has long been known<\/a> for at least eight years, “however the fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion.”<\/p>

[…]<\/p>

In a separate blog post<\/a>, Wardle demonstrated that macOS behaves same for the password-protected encrypted AFPS containers, eventually exposing even encrypted volumes to potential snooping.<\/p><\/blockquote>\n

This also affects third-party applications such as EagleFiler<\/a> that use Quick Look to display images.<\/p>\n\n

Update (2018-06-20): See also: MacRumors<\/a>, Slashdot<\/a>, ZDNet<\/a>.<\/p>\n\n

Update (2018-06-25): Patrick Wardle<\/a>:<\/p>\n

\n

Want to disable Quick Look from caching your sensitive files?<\/p>\n

$ qlmanage -r disablecache<\/pre>\n<\/blockquote>\n\n
Howard Oakley<\/a>:<\/p>\n
\n
I am delighted to offer an update to improve my new tool for managing your QuickLook (or Quick Look) cache, Aquiline Check.<\/p>\n<\/blockquote>\n\n
Update (2018-06-26): Howard Oakley<\/a>:<\/p>\n
\n
Here is a brief overview of some of the potentially sensitive information which macOS secretes away in unexpected places.<\/p>\n<\/blockquote>","protected":false},"excerpt":{"rendered":"
Wojciech Regula: I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for creating thumbnails database and storing it in \/var\/folders\/…\/C\/com.apple.QuickLook.thumbnailcache\/ directory.It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2018-06-26T15:03:03Z","apple_news_api_id":"66d34397-b6a6-4bae-9443-82e4235f2182","apple_news_api_modified_at":"2018-06-26T15:03:04Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAABA==","apple_news_api_share_url":"https:\/\/apple.news\/AZtNDl7amS66UQ4LkI18hgg","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[],"tags":[131,595,30,1529,355,1103],"class_list":["post-21852","post","type-post","status-publish","format-standard","hentry","tag-bug","tag-eaglefiler","tag-mac","tag-macos-10-13","tag-privacy","tag-quick-look"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21852","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=21852"}],"version-history":[{"count":6,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21852\/revisions"}],"predecessor-version":[{"id":21930,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/21852\/revisions\/21930"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=21852"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=21852"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=21852"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}