FileVault and QuickLook leak some information from encrypted volumes in Mac OS
If you use FileVault and QuickLook on a Mac you may want to know that the combination of the two may leak some sensitive information from encrypted volumes.
Reader Jack R. sent in the following tip, explaining the situation further:
When FileVault and QuickLook are used concurrently, information about what files are stored on the encrypted volume becomes available and completely unencrypted on your hard drive. This is due to QuickLook’s thumbnail caching that is stored within the /var/ directory.
Run the following command to see the size of the QuickLook cache to demonstrate the potential:
find /var/folders -name "*QuickLook*" -exec du -h {} \; 2>/dev/null
The worst case scenario is the potential for exposing file names and even QuickLook thumbnails of documents and images. There’s also a sqlite file called index.sqlite within the /var/folders QuickLook cache directories that have a list of file names on the encrypted volumes.
Whether or not this is a legitimate security hole that is patchable or if it’s something I’m aimlessly worried about, I don’t know, but I am willing to bet many people don’t know about this!
Editor note: This definitely seems like a security hole. I imagine the best way to avoid this problem is to just not use QuickLook on the sensitive encrypted data, although that’s more of a workaround than a fix. Perhaps Mac OS X will eventually get a security update to resolve the problem.
Update 6/18/2018: Over 8 years later, this security bug still exists in MacOS / Mac OS X! That’s the bad news. But here’s the good news; security researcher Patrick Wardle has brought some renewed attention to this flaw and thus it will likely get patched in a future software update.
In the meantime, Wardle recommends the following command string to delete the Quick Look cache, which can be entered into the Terminal of MacOS / Mac OS X:
qlmanage -r cache
Executing that command will clear the Quick Look cache. Keep an eye out for future security updates and software updates to Mac OS as they will likely patch the bug once and for all.
It is absolutely amazing this security bug still exists today in 2018 Mac OS X despite you guys reporting this as a clear security flaw almost a decade ago.
OK so here we are in modern era, the flaw exists in MacOS today. But here is how you can clear the Quick Look cache according to some newer research by Patrick Wardle, from Terminal:
$ rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache
$ qlmanage -r cache
$ sudo reboot
Some modern updates for those interested in the topic:
https://objective-see.com/blog/blog_0x30.html
https://thehackernews.com/2018/06/apple-macos-quicklook.html
How many other bugs were widely known years ago that remain unfixed?
Maybe Apple should be reading this site, blogs, forums, fan sites, etc to learn about their own products, because rest assured security researchers and the other guys do :)
Thanks for the heads up, we updated the article to include the “qlmanage -r cache” cache dump as an interim solution. It’s interesting this bug slipped through the cracks for so long, but surely it will be patched now that it is getting broader coverage.
[…] officer at Digital Security, equally shared the concern, saying that the issue has long been known for at least eight years, “however the fact that behavior is still present in the latest […]
Missing the point with this conversation, which is why so shady a method? These thumbnails , or “pictures” it is taking, what is wrong with storing in ~/Library/Caches?
[…] | OSXDaily En Applesfera | Filevault, ¿qué es y cómo funciona? 3 me […]
Actually, it does have a real impact. Virtual memory must be allocated and swapped to disk. The reason I started looking into QL is because of the memory and CPU it was using at login. To quote Robert A. Heinlein, TANSTAAFL (there ain’t no such thing as a free lunch). Virtual memory does have an impact, even if it’s only temporary/transient.
The bottom line is that it uses resources on my system, and I never use it. So far, I’ve found no way to disable it and recover the resources it uses.
Not if that VM is just memory mapped to a file on disk (which is the case).
There is definitely an issue with Quick Look. I don’t know about FileVault, but it creates and caches previews for files in TrueCrypt encrypted volumes.
It’s certainly missing a level of transparency and manageability showing what it’s doing, what’s stored where, etc.
There is also the fact it for those of us who don’t use QL, not being able to disable it makes it a complete waste of resources. On my machine, It allocates over 500MB of VM, for a feature that I never use.
How do I tell QL to ignore some/all volumes?
Quick Look does not really “allocate” 500MB of memory. It’s purely virtual and generally accounts for a very small amount of real wired memory. This has no real impact on the global system performances.
As I mentioned in my previous comment, Quick Look does not store anything in its cache that comes from encrypted volumes.
If you really want to reset the cache, use “qlmanage -r cache” in a Terminal.
Found it in cd ‘/private/var/folders/M4/M4C9EH+OHfCUCPjIRmQAUU+++TI-Caches-/com.Apple.QuickLook.thumbnailcache/’ What would be the consequence of simply deleting the whole com.Apple.QuickLook.thumbnailcache folder?
…and what application can open the files therein so I can read them?
If J is correct, not a big deal, but if the stuff is actually cached, why not just add a script to your machine that periodically deletes the cache file during the day? At least it would lessen the damage on a breach.
Thumbnail cache is disabled for encrypted volumes, including file vault users. You should be able to confirm with following terminal command:
qlmanage -m disks
If this is not the case, there is definitely a bug in Quick Look.
So how do you disable QuickLook?
Good question, you can kill the daemon from running by using
killall -9 quicklookd
but that is not a permanent solution.
it might be best to just not use quicklook thus not allowing the thumbnails to be generated. I have yet to find a way to disable Quick Look completely.