macOS 'Quick Look' Bug Can Leak Encrypted Data Through Thumbnail Caches

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Jun 18, 2018.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A long-standing bug in macOS's Quick Look feature has the potential to expose sensitive user files like photo thumbnails and the text of documents, even on encrypted drives, according to security researchers.

    Details on the Quick Look flaw were shared earlier this month by security researcher Wojciech Regula and over the weekend on security researcher Patrick Wardle's blog (via The Hacker News).

    [​IMG]
    Image via Wojciech Regula

    Quick Look in macOS is a convenient Finder feature that's designed to present a zoomed-in view when you press the space bar on a photo or document that's selected.

    To provide this preview functionality, Quick Look creates an unencrypted thumbnail database where thumbnails of files are kept, with the database storing file previews from a Mac's storage and any attached USB drives whenever a folder is opened. These thumbnails, which provide previews of content on an encrypted drive, can be accessed by someone with the technical know how and there's no automatic cache clearing that deletes them. As Regula explains:
    This is an issue that's existed for at least eight years and concerns have been raised about it in the past, but Apple has made no changes in macOS to address it. "The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion," writes Wardle.

    As Wardle points out, this information is valuable in law enforcement investigations, but most users are not going to be happy to learn that their Mac records file paths and thumbnails of documents from every storage device that's been attached to it.
    It's worth noting that if the main drive on the Mac is encrypted, the Quick Look cache that's created is too. Wardle says that data "may be safe" on a machine that's powered off, but on a Mac that's running, even if encrypted containers are unmounted, the caching feature can reveal their contents.

    "In other words, the increased security encrypted containers were thought to provide, may be completely undermined by QuickLook," writes Wardle.

    Wardle recommends that users concerned about unencrypted data storage clear the Quick Look cache manually whenever a container is unmounted, with instructions for this available on Wardle's website. It's also worth checking out Wardle's site for full details on the Quick Look bug.

    Article Link: macOS 'Quick Look' Bug Can Leak Encrypted Data Through Thumbnail Caches
     
  2. magicschoolbus macrumors 6502a

    magicschoolbus

    Joined:
    May 27, 2014
    #2
    Apple does not care about the Mac. The hardware and this proves it. You guys should seriously consider naming this site iosrumors.com (that's not a shot at you either.. Apple is all about iOS)
     
  3. syntax macrumors regular

    Joined:
    May 8, 2002
    #3
    Just to be clear: the current implementation of FileVault encrypts the entire hard drive, effectively neutralizing this vulnerability, correct?
     
  4. AL1630 macrumors regular

    AL1630

    Joined:
    Apr 24, 2016
    Location:
    Idaho, USA
    #4
    Hmm. It seems like these flaws are becoming more common lately. Not sure if that's just me paying more attention or if the amount of flaws is actually increasing.
     
  5. Dave-Z macrumors 6502

    Joined:
    Jun 26, 2012
    #5
    It's encrypted at rest. So if the computer is booted someone could walk up and access the files. Even the lock screen is not enough for a determined person. If the computer is powered off it should be fine with a sufficiently strong password.
     
  6. iapplelove macrumors 601

    iapplelove

    Joined:
    Nov 22, 2011
    Location:
    East Coast USA
    #6
    Apple is all about where the revenue comes from. You would too. We all would.

    iPhone is their main source of revenue.

    Still though it’s a damn shame they can’t at least keep a healthy Mac lineup going.
     
  7. InuNacho macrumors 65816

    InuNacho

    Joined:
    Apr 24, 2008
    Location:
    In that one place
    #7
    I’ve known about this for years. I accidently locked a word file and was able to “rescue” it by hitting the space bar.
    Great security.
     
  8. pat500000 macrumors G3

    pat500000

    Joined:
    Jun 3, 2015
  9. oldmacs macrumors 68040

    oldmacs

    Joined:
    Sep 14, 2010
    Location:
    Australia
    #9
    I would. It is possible to care about both.
     
  10. jchap macrumors newbie

    jchap

    Joined:
    Sep 25, 2009
    #10
    Without wanting to endorse a product that provides a "solution," CleanMyMac users might be interested to know that they can manually clean the QuickLook cache using the "System Junk" clean function of the app.
    CleanMyMac_QL_clean.png
     
  11. wlossw macrumors 65816

    wlossw

    Joined:
    May 9, 2012
    Location:
    Montreal, Quebec, Canada
  12. supercoolmanchu macrumors regular

    supercoolmanchu

    Joined:
    Mar 5, 2012
    Location:
    Hollywood
    #12
    So... use Automator to create a script to clear the cache, then add to startup items?
     
  13. funman895, Jun 18, 2018
    Last edited: Jun 19, 2018

    funman895 macrumors member

    funman895

    Joined:
    Jul 30, 2008
    Location:
    Ann Arbor, MI
    #13
    How do we know that this isn't a bug and Apple just uses a Star Wars cypher for their encryption?
     
  14. luvbug macrumors member

    luvbug

    Joined:
    Aug 11, 2017
    #14
    It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

    qlmanage -r cache

    Of course, someone here will figure out a reason to whine about having to do this.
     
  15. jchap macrumors newbie

    jchap

    Joined:
    Sep 25, 2009
    #15
    Great tip—very good to know! Thank you for sharing this.
     
  16. luvbug macrumors member

    luvbug

    Joined:
    Aug 11, 2017
    #16
    Your welcome, although this info came from the blog post that's linked in the MR article above. I knew most people would rather whine, criticize, and/or blame Tim Cook, than read the blog, so I posted the meaningful bit.
     
  17. citysnaps macrumors 68040

    Joined:
    Oct 10, 2011
    Location:
    San Francisco
    #17
    Yes, of course. That's why you never see macOS updates from Apple. Right?
     
  18. Acidsplat macrumors regular

    Joined:
    Aug 12, 2011
    #18
    You shouldn't have to do this because of a bug in the software left in from literally years ago.
     
  19. tjktony macrumors newbie

    Joined:
    Aug 3, 2009
    #19
    Any idea how to do this?
     
  20. luvbug macrumors member

    luvbug

    Joined:
    Aug 11, 2017
    #20
    So, you get the prize for first whiner! I guess assigning blame is more important to you than addressing the problem in the first person using readily available information.
     
  21. ignatius345 macrumors 65816

    Joined:
    Aug 20, 2015
    #21
    I personally won't bother clearing my QL caches because the convenience of the preview outweighs some very, very implausible attack on my low-value data -- but this does seem like a very sensible and quick fix for those with greater security needs than myself.

    For anyone who uses Alfred, by the way, you can enter terminal commands right into the search window by starting with a ">" character and then entering the terminal command you want to run. It'll call up a Terminal window and enter the string for you right away. Makes this command even faster to run, until such time as the bug properly fixed.
     
  22. Icy1007 macrumors 65816

    Icy1007

    Joined:
    Feb 26, 2011
    Location:
    Cleveland, OH
    #22
    Seems like a pretty minor issue in my opinion.
     
  23. Baymowe335 macrumors 68000

    Joined:
    Oct 6, 2017
    #23
    This is simply not true. Software has bugs and Apple will fix them, better than others. A tiny software bug that will be fixed isn’t a referendum on the state of the Mac every single time.

    Apple doesn’t update hardware based on what you think is appropriate. They have all the data and facts to back up their strategy, which is working.

    Mac revenue is still holding strong, up slightly y/y. Mac is <10% of their revenue but still a large ~$25B/yr business. They do care, but Apple understands what they’re doing. The vocal minority isn’t reality. If it were a major emergency, you’d see them update the various Mac lines. The reality is, it’s just not an issue.
     
  24. luvbug macrumors member

    luvbug

    Joined:
    Aug 11, 2017
    #24
    Thank you! That was refreshing!
     
  25. Acidsplat macrumors regular

    Joined:
    Aug 12, 2011
    #25
    Ordinary people wouldn’t know to input a terminal command, or even know that Quick Look is leaking their data.

    The bug lies with Apple’s code. How is this the fault of the consumer? The consumer is certainly not the party to blame in this situation.
     

Share This Page