Security researchers claim Apple's Quick Look feature in macOS inadvertently exposes image thumbnails and other files that have password protections o
Security researchers claim Apple’s Quick Look feature in macOS inadvertently exposes image thumbnails and other files that have password protections or are in encrypted containers. How does Quick Look expose the files and what risks does this pose to enterprises?
For some reason, certain software flaws don’t get fixed but slip out of the collective consciousness of the security community. One such flaw has come to light again following research by Wojciech Regula from SecuRing and Patrick Wardle of Digita Security.
Apple’s Quick Look functionality allows macOS users to preview the contents of a file without having to fully open it. For example, selecting a PDF file in Finder while holding down the Space key shows an image preview of the document without the device having to open it up in Adobe Reader. Finder creates and caches these thumbnails whenever a user navigates to a folder so that the preview is immediately available.
The problem with Apple’s Quick Look is that these thumbnails are not encrypted even if the contents of the files are stored in encrypted containers. They are also stored in a known location and, therefore, can easily be stolen by malware or viewed by anyone in possession of a device.
Even though this has been a known problem in Apple’s Quick Look for several years, it still persists in the latest version of macOS and is regularly used by data forensics experts. The latest research found that depending on Finder’s view settings, file thumbnails may be created and cached automatically by Quick Look whenever a directory is viewed in Finder.
The file thumbnails are stored in the user’s temporary directory, making them accessible to any code running in the context of the user. The files persist even if the original file is deleted, the drive is disconnected, the volume is unmounted or the system is rebooted. This means that even files kept on an encrypted USB key can have their thumbnails permanently stored in the user’s temporary directory.
This is a serious security and privacy risk for individuals and enterprises, as the contents of PDF, Word, Excel, and other potentially sensitive documents may be obvious from the thumbnail depending on the size of the preview images generated.
Reguła and Wardle advise users to manually clear the Quick Look cache after unmounting an encrypted container to remove thumbnails of potentially sensitive files by typing the following into the macOS terminal:
qlmanage -r cache
However, the thumbnails could still be recovered using forensic tools, as clearing the cache does not overwrite the contents of the files.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)