FileVault and QuickLook leak some information from encrypted volumes

Jul 25, 2010 - 12 Comments

FileVault If you use FileVault and QuickLook you may want to know that the combination of the two may leak some sensitive information from encrypted volumes. Reader Jack R. sent in the following tip, explaining the situation further:

When FileVault and QuickLook are used concurrently, information about what files are stored on the encrypted volume becomes available and completely unencrypted on your hard drive. This is due to QuickLook’s thumbnail caching that is stored within the /var/ directory. Run the following command to see the size of the QuickLook cache to demonstrate the potential:
find /var/folders -name "*QuickLook*" -exec du -h {} \; 2>/dev/null

The worst case scenario is the potential for exposing file names and even QuickLook thumbnails of documents and images. There’s also a sqlite file called index.sqlite within the /var/folders QuickLook cache directories that have a list of file names on the encrypted volumes.

Whether or not this is a legitimate security hole that is patchable or if it’s something I’m aimlessly worried about, I don’t know, but I am willing to bet many people don’t know about this!

Editor note: This definitely seems like a security hole. I imagine the best way to avoid this problem is to just not use QuickLook on the sensitive encrypted data, although that’s more of a workaround than a fix.

Enjoy this tip? Subscribe to the OSXDaily newsletter to get more of our great Apple tips, tricks, and important news delivered to your inbox! Enter your email address below:

Related articles:

Posted by: Bill Ellis in Mac OS X, Security

12 Comments

» Comments RSS Feed

  1. Steve says:

    So how do you disable QuickLook?

    • B says:

      Good question, you can kill the daemon from running by using

      killall -9 quicklookd

      but that is not a permanent solution.

      it might be best to just not use quicklook thus not allowing the thumbnails to be generated. I have yet to find a way to disable Quick Look completely.

  2. J says:

    Thumbnail cache is disabled for encrypted volumes, including file vault users. You should be able to confirm with following terminal command:

    qlmanage -m disks

    If this is not the case, there is definitely a bug in Quick Look.

  3. DistortedLoop says:

    If J is correct, not a big deal, but if the stuff is actually cached, why not just add a script to your machine that periodically deletes the cache file during the day? At least it would lessen the damage on a breach.

  4. mdoorkeeper says:

    Found it in cd ‘/private/var/folders/M4/M4C9EH+OHfCUCPjIRmQAUU+++TI-Caches-/com.Apple.QuickLook.thumbnailcache/’ What would be the consequence of simply deleting the whole com.Apple.QuickLook.thumbnailcache folder?
    …and what application can open the files therein so I can read them?

  5. J says:

    As I mentioned in my previous comment, Quick Look does not store anything in its cache that comes from encrypted volumes.

    If you really want to reset the cache, use “qlmanage -r cache” in a Terminal.

  6. Geoff Strickler says:

    There is definitely an issue with Quick Look. I don’t know about FileVault, but it creates and caches previews for files in TrueCrypt encrypted volumes.

    It’s certainly missing a level of transparency and manageability showing what it’s doing, what’s stored where, etc.

    There is also the fact it for those of us who don’t use QL, not being able to disable it makes it a complete waste of resources. On my machine, It allocates over 500MB of VM, for a feature that I never use.

    How do I tell QL to ignore some/all volumes?

    • J says:

      Quick Look does not really “allocate” 500MB of memory. It’s purely virtual and generally accounts for a very small amount of real wired memory. This has no real impact on the global system performances.

  7. Geoff Strickler says:

    Actually, it does have a real impact. Virtual memory must be allocated and swapped to disk. The reason I started looking into QL is because of the memory and CPU it was using at login. To quote Robert A. Heinlein, TANSTAAFL (there ain’t no such thing as a free lunch). Virtual memory does have an impact, even if it’s only temporary/transient.

    The bottom line is that it uses resources on my system, and I never use it. So far, I’ve found no way to disable it and recover the resources it uses.

  8. [...] | OSXDaily En Applesfera | Filevault, ¿qué es y cómo funciona? 3 me [...]

  9. kevin says:

    Missing the point with this conversation, which is why so shady a method? These thumbnails , or “pictures” it is taking, what is wrong with storing in ~/Library/Caches?

Leave a Reply

 

Shop for Apple & Mac Deals on Amazon.com

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates