Apple's Quick Look Is a Privacy Fail for Encrypted Files

  • MORE

Even if you encrypt a hard drive connected to your Mac, Apple is (possibly unintentionally) undermining your efforts. This happens as a newly publicized, but long implemented, system feature is quietly creating unencrypted versions of those files, which an informed snooper could view.

While there's no big fix for the issue, we've got instructions for how to clear those data-leaking files from your system.

1529348721584

This month, a pair of security experts, Patrick Wardle and Wojciech Reguła, explained on their own blogs how the flaw came out of a simple, seemingly innocuous OS X/macOS function. Quick Look allows you to preview any file on a Mac by selecting it and hitting the Space bar.

MORE: Why I'm Ditching My MacBook Pro for the MateBook X Pro

In his explanation, Regula shows how Quick Look creates a smaller, still legible, version of each previewed file. You don't even need to manually use Quick Look, though. Wardle, who incorporated Regula's own blog posting into his own, showed that the thumbnail of an encrypted text file will reveal at least the first line of text.

Wardle also found that plugging an encrypted USB drive to your PC will create readable files in the directory that Quick Look uses as a repository on the main, unencrypted hard drive. You don't even have to open the USB drive in Finder, or preview its contents. Anyone who got access to the machine could view the file list of the unencrypted USB drive, even after it had been unplugged.

What to do

For now, all you can do is erase the thumbnails that have been created, because macOS doesn't provide an option to end this behavior. Hopefully, Apple will change the way Finder operates so that it stops creating these privacy leaks.

Note: your system will reboot once you finish these steps.

1. Eject the encrypted drive(s).1529348987938

2. Click the Spotlight icon.Apple’s Quick Look Is a Privacy Fail for Encrypted Files

3. Type 'terminal' and open Terminal.1529348959579

4. Paste in the below text and hit enter.

rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache

1529348924294

5. Paste in the below test — which will lead to your system resetting — and hit enter.

sudo reboot

1529348903254

6. Enter your password and hit Return.1529348875782

This isn't exactly new

This problem has cropped up before, even if it hasn't been widely publicized. A 2010 article in OSXDaily.com explained the problem, although that piece assumed that the user would have to preview the file for a thumbnail to be created. 

Regula said that viewing cached thumbnails is apparently a known technique among forensic examiners, even though he didn't know about it before. It could be used to help determine the contents of encrypted files and folders created by a person who was trying to stay private. 

We've reached out to Apple for comment, and will update this story when we receive a response.

Credit: Ink Drop / Shutterstock

macOS Guide

Author Bio
Henry T. Casey
Henry T. Casey,
After graduating from Bard College a B.A. in Literature, Henry T. Casey worked in publishing and product development at Rizzoli and The Metropolitan Museum of Art, respectively. Henry joined Tom's Guide and LAPTOP having written for The Content Strategist, Tech Radar and Patek Philippe International Magazine. He divides his free time between going to live concerts, listening to too many podcasts, and mastering his cold brew coffee process. Content rules everything around him.
Henry T. Casey, on
Add a comment