While many users find the Quick Look functionality in macOS incredibly convenient, security researchers have uncovered a security hole that could expose the content of files stored on encrypted drives…

Sylvania HomeKit Light Strip

First discovered by security researcher Wojciech Regula, and shared today on The Hacker News, the bug relates to how the macOS generates thumbnails for files and folders in an effort to provide the Quick Look functionality to users. These thumbnails are then cached to allow access via Quick Look.

The issue, however, stems from the fact that the cached thumbnails are then stored on a Mac’s unencrypted hard drive. This doesn’t necessarily mean that the entire file is visible, but the thumbnail at least exposes some of its contents:

However, these cached thumbnails are stored on the computer’s non-encrypted hard drive, at a known and unprotected location, even if those files/folders belong to an encrypted container, eventually revealing some of the content stored on encrypted drives.

Regula demonstrated this by creating two encrypted containers:

To prove his claim, Regula created two new encrypted containers, one using VeraCrypt software and the second with macOS Encrypted HFS+/APFS drives, and then saved a photo in each of them. As explained in his post, after running a simple command on his system, Regula was able to find the path and cached files for both images left outside the encrypted containers.

“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path,” Regula said.

The issue also extends to USB drives that are connected to a Mac. In this case, macOS will create thumbnails of the files on the external drive, and store them on the boot drive.

This isn’t necessarily a new flaw, as Digital Security researcher Patrick Wardle says this issue has been known for “at least eight years.” Wardle says that a fix from Apple would be relatively easy:

“The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion.”

Wardle believes it would be pretty easy for Apple to resolve this issue by either not generating a preview if the file is within an encrypted container, or deleting the cache when a volume is unmounted.

More information can be found at the links below:


Subscribe to 9to5Mac on YouTube for more Apple news:

About the Author