Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

macOS’ Quick Look Cache May Leak Encrypted Data

The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted.

The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted.

According to Apple, “Quick Look enables apps like Finder and Mail to display thumbnail images and full-size previews of Keynote, Numbers, Pages, and PDF documents, as well as images and other types of files.”

Quick Look registers the com.apple.quicklook.ThumbnailsAgent XPC service, which creates a thumbnails database and stores it in the /var/folders/…/C/com.apple.QuickLook.thumbnailcache/ directory.

The issue, discovered by Wojciech Reguła, is that the service creates thumbnails of all supported files located in an accessed folder, regardless of whether the folder resides on an internal or external drive. It does the same for macOS Encrypted HFS+/APFS drives as well.

Because of that, the SQLite database in the com.apple.QuickLook.thumbnailcache/ directory contains previews, metadata and file paths of photos and other files in the accessed folders, depending on the file type and the installed Quick Look plugins.

Said thumbnails, however, are not created only for the files a user has chosen to preview with Quick Look (which automatically results in the service caching file information), but for other files residing in the accessed folders as well.

While the created thumbnails for previewed files are larger, smaller thumbnails are created for the other files, but even those could be used to leak content, Objective-See’s Patrick Wardle suggests.

To demonstrate the bug, Reguła created a VeraCrypt container, mounted it, and saved an image in it. He also cached it in Quick Look by pressing space on it. Next, he placed a second photo in macOS Encrypted HFS+/APFS drive.

With both images cached, information about the full paths and the file names is stored in the aforementioned database, and the researcher used a modified script to exfiltrate the thumbnails.data file and retrieve the miniatures.

“This technique is known and helps a lot in forensics, but I honestly didn’t know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos,” Reguła notes.

According to Wardle, this behavior “can be replicated in a password-protected encrypted AFPS container.” When creating a file in the container, a thumbnail of the file is created and cached even if the user simply views the container in the UI, without previewing the file, he explains.  

Even if the encrypted volume is unmounted, the thumbnail of the file continues to be stored in the temporary directory, meaning that it can be extracted. The cached thumbnails are created for files on USB drives that users insert into their Macs as well.

“Depending on the size of the ‘preview’ images generated for Finder (and other variables, such as the size of the font used in the file), the contents of the even documents may be discernible from the thumbnail alone,” Wardle notes.

With the main drive encrypted, the cached data remains safe on a powered off system, but it can be revealed to an attacker or law enforcement accessing the system, even if the password-protected encrypted containers have been unmounted.

However, it is possible to clear the Quick Look cache when unmounting a container, using the qlmanage utility. The qlmanage -r cache command should immediately purge the cache, without requiring a system reboot.

Related: macOS High Sierra Logs External Volume Passwords in Plaintext

Related: Apple Patches Dozens of Flaws in macOS, iOS, Safari

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.

Application Security

Virtualization technology giant Citrix on Tuesday scrambled out an emergency patch to cover a zero-day flaw in its networking product line and warned that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

Apple has launched a new security research blog and website, which will also be the new home of the company’s bug bounty program.