Modern operating systems are packed with all kinds of features and functions, plenty of which many users don’t know about and may never use. Most of these features are benign, but some can have unintended effects on users’ security or privacy, and current versions of macOS have one of those, a feature that can leak the contents of some files even when they’re sitting in encrypted volumes.
The function is called QuickLook and it’s been in macOS since Leopard in 2007. QuickLook is designed to give users a way to preview the contents of files, folders, or photos without actually opening them. A user can just select a file and hit the space bar to get a preview, and can then take other actions on the file, such as playing any video content or making it into a full screen view. It’s a convenient feature if you’re just trying to click through a series of photos or documents to see what’s in there.
But one of the consequences of using the QuickLook feature is that viewing a file leaves a thumbnail version of it in the machine’s cache, even if the original file was on an external USB device or in an encrypted container.
“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container,” said Wojciech Reguta, a security researcher, who wrote an analysis of the consequences of QuickLook’s preview functionality.
"QuickLook is really useful. The problem is this feature does not seem to be designed with security in mind."
The behavior of QuickLook isn’t a security vulnerability and is a known function in some circles, especially among forensics investigators. But it’s behavior that many Mac users likely aren’t aware of. The same behavior applies to password-protected Apple File System encrypted containers, said security researcher Patrick Wardle, who builds macOS security tools and does quite a bit of security research on Apple products.
“For example if we create a file in the (mounted) container, and the simple view the container in the UI (i.e. not previewing the file!), we can observe the thumbnail(s) of the file being automatically created and cached,” Wardle said.
“If we unmount the encrypted volume, the thumbnails of the file are (as previously mentioned) still stored in the user's temporary directory, and thus can be extracted...and depending on the size of the 'preview' images generated for Finder (and other variables, such as the size of the font used in the file), the contents of the even documents may be discernible from the thumbnail alone.”
Wardle added that macOS also will cache thumbnails of files stored in folders on USB drives inserted into Macs. Also, metadata and file paths are stored in a small database in the QuickLook cache folder.
“For a forensics investigation or surveillance implant, this information could prove invaluable. Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files...all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed),” Wardle said.
QuickLook is a legitimately useful feature, but Wardle said features like this can come with security tradeoffs.
“It’s a neat feature to have! QuickLook is really useful. The problem is this feature does not seem to be designed with security in mind, as is often the case with usability features,” Wardle said via email.