In a report published earlier this month, a noted cyber-security researcher cautioned macOS users that the data they store on the encrypted hard drive of their Macbook or iMac aren’t exactly as protected from prying eyes as they might have believed.
In the report, Wojciech Regula expressed concern that a macOS feature called Quick Look maybe revealing personal information to unauthorized third-parties as it stores unprotected previews of images and other files. The issue is believed to be known to forensic researchers for the better part of a decade and “is still present in the latest version of macOS”.
Did you know that macOS stores your image thumbnails even if they are located in VeraCrypt/TrueCrypt containers or Encrypted HDDs? 🍎😈 https://t.co/dMM4KHFhFE pic.twitter.com/avUjAJfY6G
— Wojciech Reguła (@_r3ggi) June 2, 2018
The original report was published by Regula earlier this month, following which, Digita Security’s chief research officer, Patrick Wardle, shed some further light on the subject through a blog report published last Friday.
Thanks @patrickwardle for a nice cooperation 👍🏻😎 https://t.co/qohP1EOydB
— Wojciech Reguła (@_r3ggi) June 18, 2018
The story, however, was only picked up this week by the media after Regula shared the results of his findings on The Hacker News yesterday. As can be seen from the images below, the issue apparently has to do with how the Quick Look feature in macOS caches the contents of the hard drive to show users a preview of any given file.
According to the researchers, Quick Look saves those snapshots to a folder on the computer, making it possible, in theory, for anyone to view snapshots of everything the user has ever previewed on the device. To do that, all an unauthorized person has to do is just locate the cache folder where all those preview snapshots are stored, and run a few lines of code.
Alarmingly, this bug includes all files saved to encrypted drives, as was shown by Regula as part of his proof-of-concept demonstration. In the first case above, Regula says the Quick Look feature shows a thumbnail preview of Luke Skywalker even though the actual image is stored in a Veracrypt container. In the second case (below), the Darth Vader image is said to be present on a macOS encrypted HFS+/APFS drive, but anybody can see both thumbnails once Quick Look in employed to take a look at the file.
Regula says that this is a ‘known’ issue that’s often used by forensic scientists, but it’s still a surprise that even files stored in encrypted containers are cached and displayed in plain view. He also goes into details to explain the entire process of how to recreate the issue, so in case all that technical details interest you, you can go over to Regula’s blog to read the entire report in full detail.