macOS Quick Look May Be an Easy Way to View Files But Doesn’t Appear to Be the Most Secure One


Quick Look is a popular feature that Mac users frequently go for to preview files without having to open different apps. However, this trusted old feature may have been revealing sensitive information stored on encrypted drives.

Security researcher Wojciech Regula wrote earlier this month that "Quicklook registers XPC service that is responsible for creating thumbnails database" and stores it in /var/folders/.../C/ directory.

Apple Releases 15.5.1 Update for HomePod, Fixes Music Playback Issue

"It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path," Regula wrote. "They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container."

This macOS Quick Look flaw has been known for nearly a decade; Apple yet to resolve it

Regula's research essentially reveals a critical flaw in the design of Quick Look where Apple may have focused a little more on convenience than security. Since the cached thumbnails created for Quick Look are stored on the non-encrypted drive even if those files are in an encrypted container, they could expose sensitive data. This means that an attacker or law enforcement having access to a running system can potentially access sensitive data thanks to this caching feature even if that data is stored on an encrypted drive.

However, what's even more shocking is the fact that the issue has been known for at least 8 years if not more. "Apple states that: 'we believe privacy is a fundamental human right...[and] every Apple product is designed from the ground up to protect that' ...unfortunately marketing claims and reality are sometimes at odds," security researcher Patrick Wardle wrote (via The Hacker News).

Wardle said that Apple could easily fix this decade-old macOS Quick Look flaw by not generating a preview of a file that is within an encrypted container or deleting the cache when a volume is unmounted. Users are also recommended to run the following command to delete the Quick Look cache:

qlmanage -r cache

- For more technical details, head over to Objective-See and wojciechregula.

Relevant: "I Can Be Apple, and so Can You” – Researcher Reveals an 11-Year-Old Code Signing Flaw in OS X