macOS' Quick Look Cache May Leak Encrypted Data
Ionut Arghire | June 20, 2018
The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted. According to Apple, “Quick Look enables apps like Finder and Mail to display thumbnail images and full-size previews of Keynote, Numbers, Pages, and PDF documents, as well as images and other types of files.” Quick Look registers the com.apple.quicklook.ThumbnailsAgent XPC service, which creates a thumbnails database and stores it in the /var/folders/.../C/com.apple.QuickLook.thumbnailcache/ directory. The issue, discovered by Wojciech Reguła, is that the service creates thumbnails of all supported files located in an accessed folder, regardless of whether the folder resides on an internal or external drive. It does the same for macOS Encrypted HFS+/APFS drives as well. Because of that, the SQLite database in the com.apple.QuickLook.thumbnailcache/ directory contains previews, metadata and file paths of photos and other files in the accessed folders, depending on the file type and the installed Quick Look plugins. Said thumbnails, however, are not created only for the files a user has chosen to preview with Quick Look (which automatically results in the service caching file information), but for other files residing in the accessed folders as well. While the created thumbnails for previewed files are larger, smaller thumbnails are created for the other files, but even those could be used to leak content, Objective-See’s Patrick Wardle suggests.