A bug in macOS’ Quick Look feature has seemingly been known to forensic experts for the better part of a decade, but security researcher Wojciech Regula shed new light on how the vulnerability actually works in a report published earlier this month.
Photo: Alex Cranz (Gizmodo)
The issue apparently has to do with how Apple’s Quick Look feature takes a snapshot of your hard drive’s contents in order to show you a handy preview of the selected data.
Because Quick Look saves those snapshots to a folder on your computer, it’s possible for someone to view snapshots of everything you’ve ever previewed (including files saved to encrypted drives) by locating the cache where all those snapshots are stored, Regula and ZDNet report.
In Regula’s proof of concept, he took photos of Luke Skywalker and Darth Vader and put one in a Veracrypt container and another on a macOS encrypted HFS+ drive, opened them both in Quick Look, and then used a command to locate a thumbnail of each image in a different directory within the computer.
While the thumbnails of the original 1920 x 1080 images were only 336 x 182 pixels when saved by Quick Look’s snapshot, Regula says those thumbnails were still more than enough to get a good sense of what the original file is.
The potentially scary part about this issue is that if you use Quick Look to preview data stored on a removable drive such as a USB stick, those thumbnails get saved to Quick Look’s hidden cache, too.
However, things may not be as dire as they seem. In order to view the cache where Quick Look thumbnails are cached, someone would need physical access to your device, along with a way to unlock it and get inside. Furthermore, if your main drive in encrypted, then everything else on your computer including the thumbnail cache will be protected.
If you are still concerned about old macOS Quick Look caches compromising your security, Digita Security chief research officer Patrick Wardle has posted instructions on how to clear macOS’ thumbnail cache.
Currently, Regula says the Quick Look vulnerability affects even the most updated versions of macOS. While it’s unclear if the exploit still works in the dev preview for macOS Mojave, here’s hoping Apple addresses it before Mojave gets officially released later this spring.