Apple macOS Quick Look Bug Is Leaking Encrypted File Information Say Researchers

macOS
A pair of macOS security experts have discovered a bug in the latest version of macOS that exposes the contents of files, including ones that are encrypted and are supposed to be safe from prying eyes. The security flaw exists within Apple's 'Quick Look' feature, which caches thumbnails and names of files, even when the files are stored within a password protected encrypted container, such as a hard drive or a separate partition.

The issue with Quick Look is that it stores that data in a non-encrypted location. Even worse, they apparently remain on the hard drive, even if a user deletes the original file that he or she previewed via QuickLook.

"This means that all photos that you have previewed using space (or QuickLook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container," said Wojciech Regula, one of the security researchers that discovered the flaw.

Quick Look is a relatively recent feature addition to Finder. It allows users to hold down the Space key when selecting a file to view a preview. "Use Quick Look to view photos, files, or a folder without opening them. You can use Quick Look for items in Finder windows, on your desktop, in emails, in messages, and other places," Apple explains on its website.

Finder already offered up icon previews, but with Quick Look, a user can take a peek at the contents of a file at full or near-full size. It works with PDFs, HMTL, iWork documents, and more. While handy, the bug is a potentially major security hole. It's also an issue that is known to forensics experts, for which it can prove useful.

Regula notes that macOS users can delete the thumbnail images that Quick Look creates by running a pair of commands:
  • $ rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache
  • $ sudo reboot
Upon rebooting, the Quick Look directory where the thumbnails are stored is recreated, with the previous contents wiped out.

Top Image Source: Pixabay via StockSnap

Via:  Objective-See
Show comments blog comments powered by Disqus