macOS Quick Look flaw exposes the contents of encrypted files

Apple’s Quick Look feature in MacOS supposedly leaks sensitive data even if the content is locked behind password-protected encryption.

First discovered by security researcher Wojciech Regula, and shared today on The Hacker News, the bug relates to how the macOS generates thumbnails for files and folders in an effort to provide the Quick Look functionality to users. These thumbnails are then cached to allow access via Quick Look.

quicklookbug-800x490

Quick Look in macOS is a convenient Finder feature that’s designed to present a zoomed-in view when you press the space bar on a photo or document that’s selected.

To provide this preview functionality, Quick Look creates an unencrypted thumbnail database where thumbnails of files are kept, with the database storing file previews from a Mac’s storage and any attached USB drives whenever a folder is opened. These thumbnails, which provide previews of content on an encrypted drive, can be accessed by someone with the technical know how and there’s no automatic cache clearing that deletes them.

Currently, Mac owners can manually clear the Quick Look cache using the “qlmanage” command. In the latest version of MacOS High Sierra, simply navigate to Launcher > Other > Terminal and type “qlmanage -r cache” at the prompt without the quotes. After that, reboot the Mac and the thumbnails should be gone. 

Advertisements