Skip to main content

Apple's Quick Look Is a Privacy Fail for Encrypted Files

Even if you encrypt a hard drive connected to your Mac, Apple is (possibly unintentionally) undermining your efforts. This happens as a newly publicized, but long implemented, system feature is quietly creating unencrypted versions of those files, which an informed snooper could view.

While there's no big fix for the issue, we've got instructions for how to clear those data-leaking files from your system.

This month, a pair of security experts, Patrick Wardle and Wojciech Regua, explained on their own blogs how the flaw came out of a simple, seemingly innocuous OS X/macOS function. Quick Look allows you to preview any file on a Mac by selecting it and hitting the Space bar.

MORE: Why I'm Ditching My MacBook Pro for the MateBook X Pro

In his explanation, Regula shows how Quick Look creates a smaller, still legible, version of each previewed file. You don't even need to manually use Quick Look, though. Wardle, who incorporated Regula's own blog posting into his own, showed that the thumbnail of an encrypted text file will reveal at least the first line of text.

Wardle also found that plugging an encrypted USB drive to your PC will create readable files in the directory that Quick Look uses as a repository on the main, unencrypted hard drive. You don't even have to open the USB drive in Finder, or preview its contents. Anyone who got access to the machine could view the file list of the unencrypted USB drive, even after it had been unplugged.

What to do

For now, all you can do is erase the thumbnails that have been created, because macOS doesn't provide an option to end this behavior. Hopefully, Apple will change the way Finder operates so that it stops creating these privacy leaks.

Note: your system will reboot once you finish these steps.

1. Eject the encrypted drive(s).

2. Click the Spotlight icon.

3. Type 'terminal' and open Terminal.

4. Paste in the below text and hit enter.

rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache

5. Paste in the below test — which will lead to your system resetting — and hit enter.

sudo reboot

6. Enter your password and hit Return.

This isn't exactly new

This problem has cropped up before, even if it hasn't been widely publicized. A 2010 article in OSXDaily.com explained the problem, although that piece assumed that the user would have to preview the file for a thumbnail to be created. 

Regula said that viewing cached thumbnails is apparently a known technique among forensic examiners, even though he didn't know about it before. It could be used to help determine the contents of encrypted files and folders created by a person who was trying to stay private. 

We've reached out to Apple for comment, and will update this story when we receive a response.

Credit: Ink Drop / Shutterstock

macOS Guide

Henry is a senior writer at Laptop Mag, covering security, Apple and operating systems. Prior to joining Laptop Mag — where he's the self-described Rare Oreo Expert — he reviewed software and hardware for TechRadar Pro, and interviewed artists for Patek Philippe International Magazine. You can find him at your local pro wrestling events, and wondering why Apple decided to ditch its MagSafe power adapters.