FileVault and QuickLook leak some information from encrypted volumes in Mac OS

Jul 25, 2010 - 15 Comments

FileVault If you use FileVault and QuickLook on a Mac you may want to know that the combination of the two may leak some sensitive information from encrypted volumes.

Reader Jack R. sent in the following tip, explaining the situation further:

When FileVault and QuickLook are used concurrently, information about what files are stored on the encrypted volume becomes available and completely unencrypted on your hard drive. This is due to QuickLook’s thumbnail caching that is stored within the /var/ directory.

Run the following command to see the size of the QuickLook cache to demonstrate the potential:

find /var/folders -name "*QuickLook*" -exec du -h {} \; 2>/dev/null

The worst case scenario is the potential for exposing file names and even QuickLook thumbnails of documents and images. There’s also a sqlite file called index.sqlite within the /var/folders QuickLook cache directories that have a list of file names on the encrypted volumes.

Whether or not this is a legitimate security hole that is patchable or if it’s something I’m aimlessly worried about, I don’t know, but I am willing to bet many people don’t know about this!

Editor note: This definitely seems like a security hole. I imagine the best way to avoid this problem is to just not use QuickLook on the sensitive encrypted data, although that’s more of a workaround than a fix. Perhaps Mac OS X will eventually get a security update to resolve the problem.

Update 6/18/2018: Over 8 years later, this security bug still exists in MacOS / Mac OS X! That’s the bad news. But here’s the good news; security researcher Patrick Wardle has brought some renewed attention to this flaw and thus it will likely get patched in a future software update.

In the meantime, Wardle recommends the following command string to delete the Quick Look cache, which can be entered into the Terminal of MacOS / Mac OS X:

qlmanage -r cache

Executing that command will clear the Quick Look cache. Keep an eye out for future security updates and software updates to Mac OS as they will likely patch the bug once and for all.

.

Related articles:

Posted by: Bill Ellis in Mac OS, Security

15 Comments

» Comments RSS Feed

  1. Bewildered says:

    It is absolutely amazing this security bug still exists today in 2018 Mac OS X despite you guys reporting this as a clear security flaw almost a decade ago.

    OK so here we are in modern era, the flaw exists in MacOS today. But here is how you can clear the Quick Look cache according to some newer research by Patrick Wardle, from Terminal:

    $ rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache

    $ qlmanage -r cache

    $ sudo reboot

    Some modern updates for those interested in the topic:

    https://objective-see.com/blog/blog_0x30.html

    https://thehackernews.com/2018/06/apple-macos-quicklook.html

    How many other bugs were widely known years ago that remain unfixed?

    Maybe Apple should be reading this site, blogs, forums, fan sites, etc to learn about their own products, because rest assured security researchers and the other guys do :)

    • Paul says:

      Thanks for the heads up, we updated the article to include the “qlmanage -r cache” cache dump as an interim solution. It’s interesting this bug slipped through the cracks for so long, but surely it will be patched now that it is getting broader coverage.

  2. […] officer at Digital Security, equally shared the concern, saying that the issue has long been known for at least eight years, “however the fact that behavior is still present in the latest […]

  3. kevin says:

    Missing the point with this conversation, which is why so shady a method? These thumbnails , or “pictures” it is taking, what is wrong with storing in ~/Library/Caches?

  4. […] | OSXDaily En Applesfera | Filevault, ¿qué es y cómo funciona? 3 me […]

  5. Geoff Strickler says:

    Actually, it does have a real impact. Virtual memory must be allocated and swapped to disk. The reason I started looking into QL is because of the memory and CPU it was using at login. To quote Robert A. Heinlein, TANSTAAFL (there ain’t no such thing as a free lunch). Virtual memory does have an impact, even if it’s only temporary/transient.

    The bottom line is that it uses resources on my system, and I never use it. So far, I’ve found no way to disable it and recover the resources it uses.

  6. Geoff Strickler says:

    There is definitely an issue with Quick Look. I don’t know about FileVault, but it creates and caches previews for files in TrueCrypt encrypted volumes.

    It’s certainly missing a level of transparency and manageability showing what it’s doing, what’s stored where, etc.

    There is also the fact it for those of us who don’t use QL, not being able to disable it makes it a complete waste of resources. On my machine, It allocates over 500MB of VM, for a feature that I never use.

    How do I tell QL to ignore some/all volumes?

    • J says:

      Quick Look does not really “allocate” 500MB of memory. It’s purely virtual and generally accounts for a very small amount of real wired memory. This has no real impact on the global system performances.

  7. J says:

    As I mentioned in my previous comment, Quick Look does not store anything in its cache that comes from encrypted volumes.

    If you really want to reset the cache, use “qlmanage -r cache” in a Terminal.

  8. mdoorkeeper says:

    Found it in cd ‘/private/var/folders/M4/M4C9EH+OHfCUCPjIRmQAUU+++TI-Caches-/com.Apple.QuickLook.thumbnailcache/’ What would be the consequence of simply deleting the whole com.Apple.QuickLook.thumbnailcache folder?
    …and what application can open the files therein so I can read them?

  9. DistortedLoop says:

    If J is correct, not a big deal, but if the stuff is actually cached, why not just add a script to your machine that periodically deletes the cache file during the day? At least it would lessen the damage on a breach.

  10. J says:

    Thumbnail cache is disabled for encrypted volumes, including file vault users. You should be able to confirm with following terminal command:

    qlmanage -m disks

    If this is not the case, there is definitely a bug in Quick Look.

  11. Steve says:

    So how do you disable QuickLook?

    • B says:

      Good question, you can kill the daemon from running by using

      killall -9 quicklookd

      but that is not a permanent solution.

      it might be best to just not use quicklook thus not allowing the thumbnails to be generated. I have yet to find a way to disable Quick Look completely.

Leave a Reply

 

Shop on Amazon.com and help support OSXDaily!

Subscribe to OSXDaily

Subscribe to RSS Subscribe to Twitter Feed Follow on Facebook Subscribe to eMail Updates

Tips & Tricks

News

iPhone / iPad

Mac

Troubleshooting

Shop on Amazon to help support this site