While many users find the Quick Look functionality in macOS incredibly convenient, security researchers have uncovered a security hole that could expose the content of files stored on encrypted drives…
First discovered by security researcher Wojciech Regula, and shared today on The Hacker News, the bug relates to how the macOS generates thumbnails for files and folders in an effort to provide the Quick Look functionality to users. These thumbnails are then cached to allow access via Quick Look.
The issue, however, stems from the fact that the cached thumbnails are then stored on a Mac’s unencrypted hard drive. This doesn’t necessarily mean that the entire file is visible, but the thumbnail at least exposes some of its contents:
Regula demonstrated this by creating two encrypted containers:
The issue also extends to USB drives that are connected to a Mac. In this case, macOS will create thumbnails of the files on the external drive, and store them on the boot drive.
“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path,” Regula said.
This isn’t necessarily a new flaw, as Digital Security researcher Patrick Wardle says this issue has been known for “at least eight years.” Wardle says that a fix from Apple would be relatively easy:
More information can be found at the links below:
Wardle believes it would be pretty easy for Apple to resolve this issue by either not generating a preview if the file is within an encrypted container, or deleting the cache when a volume is unmounted.
- Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives
- Your encrypted photos revealed in macOS cache
- FileVault and QuickLook leak some information from encrypted volumes in Mac OS
- Cache Me Outside: Apple’s ‘quicklook’ cache may leak encrypted data
