Skip to main content

Nearly decade-old macOS ‘Quick Look’ security hole again raises concerns from researchers

While many users find the Quick Look functionality in macOS incredibly convenient, security researchers have uncovered a security hole that could expose the content of files stored on encrypted drives…

First discovered by security researcher Wojciech Regula, and shared today on The Hacker News, the bug relates to how the macOS generates thumbnails for files and folders in an effort to provide the Quick Look functionality to users. These thumbnails are then cached to allow access via Quick Look.

The issue, however, stems from the fact that the cached thumbnails are then stored on a Mac’s unencrypted hard drive. This doesn’t necessarily mean that the entire file is visible, but the thumbnail at least exposes some of its contents:

However, these cached thumbnails are stored on the computer’s non-encrypted hard drive, at a known and unprotected location, even if those files/folders belong to an encrypted container, eventually revealing some of the content stored on encrypted drives.

Regula demonstrated this by creating two encrypted containers:

To prove his claim, Regula created two new encrypted containers, one using VeraCrypt software and the second with macOS Encrypted HFS+/APFS drives, and then saved a photo in each of them. As explained in his post, after running a simple command on his system, Regula was able to find the path and cached files for both images left outside the encrypted containers.

“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path,” Regula said.

The issue also extends to USB drives that are connected to a Mac. In this case, macOS will create thumbnails of the files on the external drive, and store them on the boot drive.

This isn’t necessarily a new flaw, as Digital Security researcher Patrick Wardle says this issue has been known for “at least eight years.” Wardle says that a fix from Apple would be relatively easy:

“The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion.”

Wardle believes it would be pretty easy for Apple to resolve this issue by either not generating a preview if the file is within an encrypted container, or deleting the cache when a volume is unmounted.

More information can be found at the links below:

Subscribe to 9to5Mac on YouTube for more Apple news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Chance Miller Chance Miller

Chance is an editor for the entire 9to5 network and covers the latest Apple news for 9to5Mac.

Tips, questions, typos to