macOS Quick Look Can Be Used to Snoop on Files in Encrypted Drives: Report

A bug in the Quick Look feature of macOS can potentially leak sensitive user files, according to security researchers. The Quick Look functionality in macOS is a marquee feature that Mac users reckon to preview files without opening another app. However, researchers claim to have uncovered a security hole in the years-old tool that could potentially reveal sensitive information, even on encrypted drives.

Security researcher Wojciech Regula had found the alleged Quick Look bug, reports The Hacker News. The Quick Look feature in macOS takes a snapshot of a file's contents and the full file path without the user having to open each file. It also stores that snapshot data in an unprotected location on the computer's hard drive. Regula wrote up details about the macOS data leak issue earlier this month. "It means that all photos that you have previewed...are stored in that directory as a miniature and its path," Regula wrote. He also added that information stays there even if you delete the files.

In Regula's proof of concept, images of Luke Skywalker and Darth Vader were put one in a Veracrypt container and another on a macOS encrypted HFS+ drive. He then opened them in Quick Look, and then used a command to locate a thumbnail of each image in a different directory within the PC. The original image had 1920x1080 pixels resolution, but the thumbnail images were only 336x182 pixels when saved by Quick Look's snapshot. But, Regula claims that those thumbnails were still good enough to give a sense of the original files. Another issue is that if you use Quick Look to preview data stored on a removable drive, the thumbnails get saved to Quick Look's hidden cache.

Patrick Wardle, Chief Research Officer at Digita Security, adding to Regula's work in his own blog post, notes that the bug is triggered every time a user opens a folder. As mentioned, the bug exposes even encrypted volumes to potential snooping. Wardle writes, "If we unmount the encrypted volume, the thumbnails of the file are...still stored in the user's temporary directory, and thus can be extracted."

Wardle also noted that the bug is an issue for anyone using encrypted volumes. He says that if a laptop is stolen or seized by law enforcement, but unmounted and considered safe, the Quick Look cache can still leak the contents of files.

Interestingly, the issue has been known to forensic experts, since 2010, as revealed in an osxdaily report. However, Apple has reportedly not fixed the apparent data leak issue, even in the macOS 10.14.

Meanwhile, Wardle has offered a solution on how to purge the Quick Look cache from the computer in his blog. That said, it would be relatively simple for Apple to patch the issue. "I think it would be pretty easy for Apple to either not generate a preview if the file is within an encrypted container, or better yet, when a volume is unmounted, delete the cache," said Wardle. Without an official fix, users right now can manually delete a Quick Look cache when a container is unmounted by using the 'qlmanage' utility.