Skip to main content

Macs leak sensitive data from encrypted files, even after they’re deleted

A background feature in MacOS called Quick Look is leaking sensitive data even if the content is locked behind password-protected encryption, security experts claim. Introduced in MacOS 10.5 Leopard, Apple designed Quick Look to give you a glimpse into a file without manually opening it with an app. But for the sake of convenience, Quick Look serves up a dish of potential privacy concerns. 

Used by the Finder app in MacOS, Quick Look stores a thumbnail containing the file’s full name, path, and a miniature image of what is stored inside the file, even if it’s password-protected and encrypted. This cached data also isn’t secured: It’s stored openly without passwords or encryption in the user’s TMPDIR directory and accessible to any person or application. The data even remains on the Mac after you reboot the device, delete the original files, and/or disconnect an external storage device. 

That said, if someone gains physical access to your Mac device, they can view the contents of any stored file. That makes Quick Look a highly useful tool for forensic investigations, surveillance implants, and for nosy significant others who simply want a quick way to snoop through your files. 

“Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files … all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed),” says chief research officer Patrick Wardle of Digital Security. “For users, the question is: Do you really want your Mac recording the file paths and ‘previews’ thumbnails of the files on any/all USB sticks that you’ve ever inserted into your Mac? Me thinks not.” 

The blog builds on a report issued by Wojciech Regula from SecuRing in early June who pointed out that the cached thumbnails remain on a Mac even if the originating files were deleted, previewed on an encrypted drive, or previewed using a TrueCrypt/VeraCrypt container. 

“If you open a folder with files residing on an external drive, thumbnails will be created on the boot drive depending on the file type and the installed Quick Look plugins,” Wardle adds. “The previews, metadata and file paths are stored in SQLite database files deep inside the var folder. The path to this folder contains arbitrary folder names. With the proper commands the preview pics can be extracted from the database.” 

Currently, Mac owners can manually clear the Quick Look cache using the “qlmanage” command. In the latest version of MacOS High Sierra, simply navigate to Launcher > Other > Terminal and type “qlmanage -r cache” at the prompt without the quotes. After that, reboot the Mac and the thumbnails should be gone. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
This memory leak bug is killing performance in MacOS Monterey
Apple demonstrating Universal Control with a MacBook Pro and iPad next to each other on a desk.

Apple's newest desktop operating system, MacOS Monterey, brings a handful of useful new features, but an assortment of issues as well. Some people are reporting memory leaks after upgrading to MacOS Monterey — some of which have even included warnings that the entire system has run out of memory.

While new operating system rollouts tend to have a few bugs, this one seems particularly bothersome. Memory leaks occur when an application uses more memory, or RAM, than is necessary. This happens because the process in question doesn't release the memory that's allocated to it after it's closed and continues to use more memory, sometimes until there's none left.

Read more
Windows 11 is borrowing from the Mac in one significant way
panos panay at the Windows 11 event.

Matching MacOS standards, Microsoft has announced that Windows will now release major updates once a year, ditching its tradition of delivering two feature updates per year. This new release cadence will be kicked off by the release of Windows 11, which was officially announced this week by Microsoft, later this year.

There have been multiple complaints about Windows 10’s updates since day one. Microsoft has been releasing two major updates every year and users have been annoyed with their frequency and quality. The company’s two major feature releases each year push the operating system to force update some of the devices that may be running on a version that's not meeting the end of service.

Read more
How to change the default apps on a Mac
Change your Mac’s default apps in three easy steps
MacOS Catalina Hands-on | Macbook Pro

When you first get a Mac, you’ll find that Apple has set all of the default apps for common file types: Safari for websites, Preview for pictures, etc. In most cases, these are fine, and you’ll be happy enough using them. But what if you want to change the default apps on your Mac to something different?

Fortunately, it’s easy enough to do. There are, however, a few different ways of doing it depending on what file type you want to open. We’ll cover everything below.
Change the default app for specific file types

Read more