macOS 'Quick Look' Bug Can Leak Encrypted Data Through Thumbnail Caches

[NoNothing]

Just to be clear: the current implementation of FileVault encrypts the entire hard drive, effectively neutralizing this vulnerability, correct?

Yes.

 

[yadmonkey]

To all of the doom and gloomers taking this as evidence that Apple doesn't care about the Mac... point to their lack of hardware updates, but not at this. 10.3 shipped with a bug that erased some people's firewire hard drives. Bugs happen.

 

[doctor-don]

The referenced file* does not appear in a search of my Mac, so I wonder about the accuracy of this article.

The Library does have cache files that begin with com.apple.QuickLook, but they are tiny 53KB and 33KB.
–––––––––––
*com.apple.QuickLook.thumbnailcache

Without wanting to endorse a product that provides a "solution," CleanMyMac users might be interested to know that they can manually clean the QuickLook cache using the "System Junk" clean function of the app.
View attachment 766773

Is this (CleanMyMac) a trusted app?

By the way, I have found that some of the PDFs I have saved for documentation of work I have done are BLANK when I attempt to view them using Quick Look.

 

[parsonsmike]

The bug lies with Apple’s code

It's not a bug, it's a feature.

 

[femike]

Its may or may not be that Apple doesn't care about the mac, but, it's yet another indication of Apple respect for the mac. In and of itself, taken in isolation, it probably hard to draw conclusions, however, with the Apple of late, small things do add up, and it's entirely normal for peoples perception to change.

That being said, one wonders how many so-called 'bugs' are actually deliberately left in for a time, until its publicly acknowledged, for the benefit of the govt authorities for nationalistic, corporate and economic espionage. Not only for Apple, as its relatively small, but others eg Microsoft, Cisco, linux stack, various protocols, encryption, etc.

 

[ChrisA]

Seems like a pretty minor issue in my opinion.

It is minor issue to you. A big deal however if you have sensitive data, say the company's customer list or plans for next year's new product and you care enough to keep this data on an encrypted drive. Then someone breaks in a steals your MacBook. You THINK the data is safe but you were wrong.

There is a tiny minority of users who actually do things with their computers other then games and Youtube. But for most users you are right, it is a minor issue

 

[jchap]

For anyone who uses Alfred, by the way, you can enter terminal commands right into the search window by starting with a ">" character and then entering the terminal command you want to run. It'll call up a Terminal window and enter the string for you right away. Makes this command even faster to run, until such time as the bug properly fixed.

Good point. I imagine you could even set up a custom workflow in Alfred to do this by typing a keyword or a few letters.

 

[MacGekko]

It's encrypted at rest. So if the computer is booted someone could walk up and access the files. Even the lock screen is not enough for a determined person. If the computer is powered off it should be fine with a sufficiently strong password.

Why is the lock screen vulnerable? What about if you use Filevault and always put the computer to sleep instead of powering down?
[doublepost=1529388307][/doublepost]

It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.

That's it, just that one line, no possible negative consequences from using it?

 

[Marco Klobas]

Onyx also provides this functionality.

For those using Cocktail, it has the same function as well.

Options... let you choose in the Preferences the Quick Look caches.

 

[Vjosullivan]

Think hopeless. New motto.

I prefer "Think Indifferent".

 

[deviant]

Ordinary people wouldn’t know to input a terminal command, or even know that Quick Look is leaking their data.

The bug lies with Apple’s code. How is this the fault of the consumer? The consumer is certainly not the party to blame in this situation.

Those “ordinary” people would not have encrypted volumes for one, and they don’t have spyes hunting them in the first place, too. It’s a non issue and if it’s a issue for SOME, they know how to solve it.

 

[plexdk]

I prefer "Think Indifferent".

The OS has grown very big - thats also why they decided to keep the features minimal in this release, to streamline things again. This isn't the OS X puppy from 2001 anymore.

 

[supercoolmanchu]

Any idea how to do this?

The link at the bottom of the article, details which files are the QuickLook cache.

I won’t be in front of a Mac for a few days, but this link has some info on how to use Automator to delete files (first release my I found on the ‘duck duck and go’) https://yourbusiness.azcentral.com/use-automator-mac-os-delete-files-desktop-18757.html

I’d suggest first testing it to delete a new ‘untitled folder’ on the desktop.

Once you have the Automator workflow working, add this to your Login Items in the Accounts pane of the System Prefs.

 

[Acidsplat]

Those “ordinary” people would not have encrypted volumes for one, and they don’t have spyes hunting them in the first place, too. It’s a non issue and if it’s a issue for SOME, they know how to solve it.

It doesn't change the fact the software should not be working like that, and having to do a terminal command or Automator script, no matter how minor, still doesn't change that. Why is it so controversial to accept that it is a bug that hasn't been fixed in years?

I'm not doom and gloom over everything that Apple does; however, they're a company that prides itself on privacy and encrypting everything and this bug certainly is contrary to that.

 

[deviant]

It doesn't change the fact the software should not be working like that, and having to do a terminal command or Automator script, no matter how minor, still doesn't change that. Why is it so controversial to accept that it is a bug that hasn't been fixed in years?

Because it’s sensationalist news.
It’s a complete non issue just to gain clicks.
There I said it.

 

[supercoolmanchu]

I prefer "Think Indifferent".

When people twist the ‘think different’ slogan to complain about Apple deviating from the past.

 

[justperry]

Wardle recommends that users concerned about unencrypted data storage clear the Quick Look cache manually whenever a container is unmounted, with instructions for this available on Wardle's website. It's also worth checking out Wardle's site for full details on the Quick Look bug.

For those who don't want to read through this long list of nerdy stuff:

In Terminal type

qlmanage -r cache

This clears the cache.

Seems like the guy is smart except he doesn't seem to know that you can input a command in terminal and hit return, it will show you the available options, the above command was easy to find.

 

[You are the One]

It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.

You don't even need to be admin.

 

[randomgeeza]

The referenced file* does not appear in a search of my Mac, so I wonder about the accuracy of this article.

The Library does have cache files that begin with com.apple.QuickLook, but they are tiny 53KB and 33KB.
–––––––––––
*com.apple.QuickLook.thumbnailcache


Is this (CleanMyMac) a trusted app?

By the way, I have found that some of the PDFs I have saved for documentation of work I have done are BLANK when I attempt to view them using Quick Look.

Stay away from Clean My Mac, Onyx is far better.

The file referred to is hidden in the private/var/folders location and will not list on a regular spotlight search.

 

[You are the One]

Just to be clear: the current implementation of FileVault encrypts the entire hard drive, effectively neutralizing this vulnerability, correct?

No, it doesn't.

It's just that FileVault needs to be bypassed before accessing the thumbnails db.

 

[pppx3]

The focus of Apple certainly is iOS, because it's on their best selling products. But let's not forget that iOS is a cut down version of Mac OS, therefore every improvement to iOS comes to the Mac. Mac OS will always be an awesome OS. I'm sure they will plug this hole and any others that come up, especially since the next OS shows more metadata with quicklook.

 

[weckart]

I’ve known about this for years. I accidently locked a word file and was able to “rescue” it by hitting the space bar.
Great security.

No longer works. At least not with Office16. Hitting the space bar prompts for a password.

 

[Sunday Ironfoot]

It's just that FileVault needs to be bypassed before accessing the thumbnails db.

Easier said than done?

And if FileVault can easily be bypassed, surely that would be a much bigger issue than this.

 

[Bacillus]

This is simply not true. Software has bugs and Apple will fix them, better than others. A tiny software bug that will be fixed isn’t a referendum on the state of the Mac every single time.

Apple doesn’t update hardware based on what you think is appropriate. They have all the data and facts to back up their strategy, which is working.

Mac revenue is still holding strong, up slightly y/y. Mac is <10% of their revenue but still a large ~$25B/yr business. They do care, but Apple understands what they’re doing. The vocal minority isn’t reality. If it were a major emergency, you’d see them update the various Mac lines. The reality is, it’s just not an issue.

This is Tim Cook-class half-truth nonsense.
Every other pc vendor owning a 25B/yr business would run around the world to get new at least 10 new models out yearly, do innovation, fix hardware shortcomings, design better keyboards, ports, listen to users etc. instead of lamenting, yearning, pretending to be the greatest media company, diverting attention to all other overblown/mediocre side-activities.
A tiny bug may not be a referendum of the Mac‘s state, but a symptom like so many others.
Nobody would be complaining if a focused product guy would run the company instead of a country-club manager

 

[plexdk]

This is Tim Cook-class half-truth nonsense.
Every other pc vendor owning a 25B/yr business would run around the world to get new at least 10 new models out yearly, do innovation, fix hardware shortcomings, design better keyboards, ports, listen to users etc. instead of lamenting, yearning, pretending to be the greatest media company, amongst all other overblown but mediocre side-activities.
A tiny bug may not be a referendum of the Mac‘s state, but a symptom like so many others.
Nobody would be complaining if a focused product guy would run the company instead of a country-club manager

when did apple release 10 new models under steve? apple has never been like that?? Except back in the nineties, where they were about to go bankrupt.