Flaw in macOS 'Quick Look' could reveal encrypted data

The security hole, which has assumedly been present in Quick Look since the feature rolled out more than a decade ago, was detailed earlier this month in a blog post by security researcher Wojciech Regula. Patrick Wardle, with Regula's assistance, provided an in-depth explanation of the flaw in a blog entry last week that was picked up by The Hacker News on Monday.

As Regula notes, Apple's Quick Look mechanism generates and caches thumbnails of files, images, folders and other data for fast and easy access by macOS. This allows Mac users to quickly preview said information with the tap of the space bar. Instead of relying on a dedicated app, such as Acrobat for PDFs, macOS is able to provide a "quick look" at the file using OS assets.

The problem, which was initially discussed some eight years ago, is Quick Look's file handling practices. Apple's feature stores thumbnail caches on an unencrypted drive, meaning snippets of originating files, even those contained in encrypted containers, can be exposed to those who know where to look.

"This means that all photos that you have previewed using space (or QuickLook cached them independently) are stored in that directory as a miniature and its path," Regula writes.

To verify his claims, Regula created a proof of concept in which two images were saved in two separate encrypted containers, one created with VeraCrypt and another with macOS Encrypted HFS+/APFS. The researcher was able to find both images and their paths with a simple command, which in turn granted access to a miniature version of the original files.

Wardle adds that Quick Look's caching function extends to attached USB drives, with thumbnails stored on the host computer's boot drive. He further argued that while the Quick Look flaw does not reveal the entire contents of a given file, what it does provide could prove useful to nefarious actors or law enforcement agencies.

That said, it would be relatively simple for Apple to patch the issue. As Wardle notes, Apple could relegate Quick Look previews to files located outside encrypted containers or, alternatively, flush thumbnail caches when a volume is unmounted.

Without an official fix, users concerned about exposing potentially sensitive data can manually delete a Quick Look cache when a container is unmounted by using the qlmanage utility.