Skip to main content

Macs leak sensitive data from encrypted files, even after they’re deleted

A background feature in MacOS called Quick Look is leaking sensitive data even if the content is locked behind password-protected encryption, security experts claim. Introduced in MacOS 10.5 Leopard, Apple designed Quick Look to give you a glimpse into a file without manually opening it with an app. But for the sake of convenience, Quick Look serves up a dish of potential privacy concerns. 

Used by the Finder app in MacOS, Quick Look stores a thumbnail containing the file’s full name, path, and a miniature image of what is stored inside the file, even if it’s password-protected and encrypted. This cached data also isn’t secured: It’s stored openly without passwords or encryption in the user’s TMPDIR directory and accessible to any person or application. The data even remains on the Mac after you reboot the device, delete the original files, and/or disconnect an external storage device. 

Image used with permission by copyright holder

That said, if someone gains physical access to your Mac device, they can view the contents of any stored file. That makes Quick Look a highly useful tool for forensic investigations, surveillance implants, and for nosy significant others who simply want a quick way to snoop through your files. 

“Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files … all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed),” says chief research officer Patrick Wardle of Digital Security. “For users, the question is: Do you really want your Mac recording the file paths and ‘previews’ thumbnails of the files on any/all USB sticks that you’ve ever inserted into your Mac? Me thinks not.” 

The blog builds on a report issued by Wojciech Regula from SecuRing in early June who pointed out that the cached thumbnails remain on a Mac even if the originating files were deleted, previewed on an encrypted drive, or previewed using a TrueCrypt/VeraCrypt container. 

“If you open a folder with files residing on an external drive, thumbnails will be created on the boot drive depending on the file type and the installed Quick Look plugins,” Wardle adds. “The previews, metadata and file paths are stored in SQLite database files deep inside the var folder. The path to this folder contains arbitrary folder names. With the proper commands the preview pics can be extracted from the database.” 

Currently, Mac owners can manually clear the Quick Look cache using the “qlmanage” command. In the latest version of MacOS High Sierra, simply navigate to Launcher > Other > Terminal and type “qlmanage -r cache” at the prompt without the quotes. After that, reboot the Mac and the thumbnails should be gone. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Ranking the best (and worst) versions of macOS from the last 20 years
An Apple iMac from 2019 placed on a desk. The macOS Mojave operating system is on its display.

Apple’s macOS operating system is known for its stability and features, but it wasn’t always this way. Throughout the history of macOS (and OS X before it), there have been some real stinkers that Apple would probably rather we all forgot about. Yet there have also been some classic versions that still live fondly in the memories of Mac users new and old.

In this article, we’ve picked five of the best versions of Apple’s Mac operating system, as well as five of its worst, presented in chronological order. We’ve started with the launch of OS X 10.0 in 2001 and continued right up to the present, past the operating system’s rebranding as macOS in 2016. If Windows is your speed, we've also ranked the best Windows versions of all time. Let’s explore Apple’s greatest hits -- and some of its worst howlers.
Worst: OS X 10.0 Cheetah (2001)

Read more
Beware — even Mac open-source apps can contain malware
A pair of glasses rests on a desk in front of multiple computer monitors filled with code.

Installing apps on a Mac is generally considered to be safer than doing so on Windows and open-source software is usually benign but there are exceptions to both of these assumptions that can do untold damage to your privacy and security.

A recent discovery by Trend Micro provides a startling example of this risk. An open-source app designed to help Mac owners with iPhone and iPad app signing has been altered to include a nasty hack that steals your Apple Keychain data. The original app is called ResignTool and it’s available for free on the popular open-source site, GitHub. The app is six years old and both the code and the ready-to-run app can be downloaded from GitHub. That isn’t the problem.

Read more
Having MacBook Pro speaker problems? You’re not the only one
Apple MacBook Pro side view showing keyboard deck and ports.

The 2021 MacBook Pro is one of the best laptops Apple has released in recent years, but it seems even the best has flaws. A number of owners are complaining of audio issues, which are being described as a popping or crackling sound during audio playback.

The issues aren't consistent and happen randomly while songs, video, or other audio sources are playing. Specifically, the popping is more pronounced at higher volume levels or pitches.

Read more