Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

macOS’ Quick Look Cache May Leak Encrypted Data

The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted.

The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted.

According to Apple, “Quick Look enables apps like Finder and Mail to display thumbnail images and full-size previews of Keynote, Numbers, Pages, and PDF documents, as well as images and other types of files.”

Quick Look registers the com.apple.quicklook.ThumbnailsAgent XPC service, which creates a thumbnails database and stores it in the /var/folders/…/C/com.apple.QuickLook.thumbnailcache/ directory.

The issue, discovered by Wojciech Reguła, is that the service creates thumbnails of all supported files located in an accessed folder, regardless of whether the folder resides on an internal or external drive. It does the same for macOS Encrypted HFS+/APFS drives as well.

Because of that, the SQLite database in the com.apple.QuickLook.thumbnailcache/ directory contains previews, metadata and file paths of photos and other files in the accessed folders, depending on the file type and the installed Quick Look plugins.

Said thumbnails, however, are not created only for the files a user has chosen to preview with Quick Look (which automatically results in the service caching file information), but for other files residing in the accessed folders as well.

While the created thumbnails for previewed files are larger, smaller thumbnails are created for the other files, but even those could be used to leak content, Objective-See’s Patrick Wardle suggests.

To demonstrate the bug, Reguła created a VeraCrypt container, mounted it, and saved an image in it. He also cached it in Quick Look by pressing space on it. Next, he placed a second photo in macOS Encrypted HFS+/APFS drive.

Advertisement. Scroll to continue reading.

With both images cached, information about the full paths and the file names is stored in the aforementioned database, and the researcher used a modified script to exfiltrate the thumbnails.data file and retrieve the miniatures.

“This technique is known and helps a lot in forensics, but I honestly didn’t know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos,” Reguła notes.

According to Wardle, this behavior “can be replicated in a password-protected encrypted AFPS container.” When creating a file in the container, a thumbnail of the file is created and cached even if the user simply views the container in the UI, without previewing the file, he explains.  

Even if the encrypted volume is unmounted, the thumbnail of the file continues to be stored in the temporary directory, meaning that it can be extracted. The cached thumbnails are created for files on USB drives that users insert into their Macs as well.

“Depending on the size of the ‘preview’ images generated for Finder (and other variables, such as the size of the font used in the file), the contents of the even documents may be discernible from the thumbnail alone,” Wardle notes.

With the main drive encrypted, the cached data remains safe on a powered off system, but it can be revealed to an attacker or law enforcement accessing the system, even if the password-protected encrypted containers have been unmounted.

However, it is possible to clear the Quick Look cache when unmounting a container, using the qlmanage utility. The qlmanage -r cache command should immediately purge the cache, without requiring a system reboot.

Related: macOS High Sierra Logs External Volume Passwords in Plaintext

Related: Apple Patches Dozens of Flaws in macOS, iOS, Safari

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...