Mac OS bug reveals encrypted file info, claim researchers

News by Mark Mayne

A widely-publicised flaw within the latest Mac OS can reveal more than business users might like...

A widely-publicised flaw within the latest Mac OS can reveal more than business users might like...

A duo of security researchers have re-discovered a bug in the newest version of MacOS that allows unauthorised eyes to glean information about the content of files - even if they are encrypted.

The security flaw concerns Apple's 'Quick Look' feature, which caches thumbnails and names of files. The problem is that Quick Look stores that data in a separate, non-encrypted location, so that even if a user deletes the original file and encrypts a copy on a removable or network drive, a local user can discover quite a bit of information about the file regardless.

"This means that all photos that you have previewed using space (or QuickLook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container," said Wojciech Regula, a macOS security expert at SecuRing.

Quick Look works with PDFs, HTML and iWork documents as well as a range of other files, such as images including PNG. The researchers noted that if a file was previewed in QuickLook by the user, then a high-res thumbnail would be created, but a lower-res version would be created automatically when new files were detected by the OS.

As co-researcher Patrick Wardle of Digita Security noted: “For a forensics investigation or surveillance implant, this information could prove invaluable. Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files...all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed).

“For users, the question is: "Do you really want your Mac recording the file paths and 'previews' thumbnails of the files on any/all USB sticks that you've ever inserted into your Mac?" Me thinks not…”

The researchers did offer a somewhat manual fix (as well as considerable detail in a blogpost to delete the thumbnail images that Quick Look creates by running the following commands:

  • $ rm -rf $TMPDIR/../C/

  • $ sudo reboot

Upon rebooting, the Quick Look directory where the thumbnails are stored is freshly created, and previous stored thumbnails are no longer visible.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews