macOS QuickLook Feature Leaks Data Despite Encrypted Drive

Researchers demonstrate how an encrypted macOS hard drive can still leak unprotected data via the operating system’s Finder and QuickLook feature.

Researchers are cautioning macOS users that not all the data they store on their encrypted hard drive is protected. In a report published Monday, Apple security expert Patrick Wardle revealed that a macOS feature called QuickLook stores unprotected previews of images and other file types.

“Apple states that: ‘we believe privacy is a fundamental human right….[and] every Apple product is designed from the ground up to protect that.’ …unfortunately marketing claims and reality are sometimes at odds,” wrote Wardle, chief research officer at Digita Security.

The researcher is building off the research of Wojciech Reguła, who first reported the issue early this month. Both Reguła and Wardle described why the data was being stored unprotected and offered a solution for deleting it.

The QuickLook feature in question works with the macOS app Finder and allows users to quickly check a file’s contents without having to open the associated application required to open the file. The feature works with images and other file formats such as Microsoft Excel (.xlsx) documents. Pressing the space bar when an Excel document is selected pops up a small thumbnail preview window showing contents of the file, sans having to open the entire Excel application (see image).

Reguła found that each of those preview images are associated with a directory path and reside in an unencrypted local directory.

“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container,” Reguła wrote.

Both researchers note that QuickLook will generate thumbnails of several other types of document formats, despite the fact that they may be stored in encrypted containers. “Depending on Finder’s view settings (e.g. icon mode, list mode, etc), file thumbnails may be created and cached by QuickLook automatically when a directory is viewed via the UI,” Wardle wrote.

To retrieve the unprotected images, Wardle created a python script that was able to access output directory containing the thumbnails.

He notes that QuickLook caches file images automatically, as well as those that are manually selected for preview. Testing was conducted on a variety of macOS systems including password-protected encrypted Apple File System containers.

Apple did not reply to a request for comment regarding this story.

The research also revealed cached file images were created when select documents were accessed on a removable hard drive. “If the user opened a folder on the removable drive, that files contained in that folder would be cached,” said researchers. “The previews, metadata and file paths are stored in SQLite database files deep inside the var folder in the com.apple.QuickLook.thumbnailcache folder. The path to this folder contains arbitrary folder names. With the proper commands the preview pics can be extracted from the database.”

Both researchers note that this type of unprotected data could be a boon for forensic investigators, attackers, or a government’s prying eyes. “In other words, the increased security encrypted containers were thought to provide, may be completely undermined by QuickLook,” Wardle wrote.

The solution is to unmount the encrypted container, then manually clear and delete the QuickLook cache.

“It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos,” Reguła said.

Suggested articles