macOS preview feature may leak thumbnails of encrypted files

Two security researchers have drawn attention to a method to view files under macOS, which would have been known in forensic circles for some time. For example, the QuickLook function could reveal thumbnails from encrypted containers via caching.

MacOS security researcher Patrick Wardle, along with researcher Wojciech Reguła, has devoted a blog post to the phenomenon, which he says has been known in forensic circles for years. As a result, the QuickLook feature allows macOS users to preview a file by selecting it and pressing the spacebar. However, because these thumbnails are cached, they could also reveal sensitive information, because they can be read again later. This is problematic with files stored in an encrypted container.

In the blog post, the researchers demonstrate the technique, for example by creating such a container with VeraCrypt, placing two images in it and viewing them briefly with the preview function. With a script it is then possible to retrieve a cached version of the images from memory. This is also possible in the case of an encrypted apfs container and after it is no longer mounted, the researchers said. They add that it isn’t necessarily a requirement to preview first, but the cached thumbnail will be smaller in that case.

The same would also work with text files, although the chosen font size affects the readability of the thumbnail, among other things. The contents of connected USB drives could also be found in the cache. Wardle argues that the phenomenon can pose a risk if, for example, an attacker has physical access to an enabled system. A work-around is to manually clear the QuickLook cache, for which he gives instructions.