macOS Quick Look flaw leaks encrypted data

By

We've rounded up some of the coolest Mac apps at the lowest prices.
macOS Mojave didn't fix this one crucial flaw.
Photo: Cult of Mac

One of the most useful features of macOS could potentially leak some of your most important data.

Security researchers have discovered a flaw with the Quick Look feature on macOS that exposes document text and photo thumbnails from a user’s files. And the flaw works even if the drive has been encrypted.

IT security specialist Wojciech Regula discovered that Quick Look stores snapshots of data at an unprotected location on the computers hard drive. Whenever Quick Look is used to preview the contents of a file, a snapshot of all the contents and the full file path are captured and stored in that spot.

Anyone that can access those snapshots can get a look at the photo or other data that was captured by Quick Look. Making matters worse, the Quick Look snapshots are stored on your Mac even if you delete the original.

Quick Look’s critical flaw

Patrick Wardle, chief research officer at Digita Security, warned in a blogpost today that the flaw is triggered every time you open a folder.

“This makes using encrypted containers pointless,” Wardle wrote. If an encrypted drive has been unmounted by hackers or law enforcement, all the thumbnails of the files can be extracted.

In a conversation with ZDNet, Wardle explained that the Quick Look bug also affects USB drives that have been plugged into a user’s Mac.

“Basically you have a forensics trail of what was on removable drives,” he said. “If a person plugged in USB drive and read ‘instructions from Russia,’ that fact would be stored on the computer.”

Fixing the problem

The Quick Look flaw has been known about since 2010 but Apple still hasn’t fixed it. macOS Mojave still stores Quick Look files at the same unencrypted folder.

In order to avoid the flaw, Wardle says users can purge their Quick Look cache from their computer. Check out this full rundown on how to do it.