Quick Look bug reveals encrypted data in macOS

Think your Macbook data is secure? Think again. A new vulnerability is the Quick Look preview in macOS can leak your encrypted data.

How Quick Look leaks encrypted data

This bug affects both local storage and external storage devices such as hard disks. The unencrypted data persists even after you delete the original files, or transfer them to an external hard drive.

For those who don’t know, Quick Look feature of macOS lets you preview a file before opening it. All you need to do is select a file and tap spacebar once.

This vulnerability was discovered by Polish malware researcher, Wojciech Reguła.

Renowned Apple hacker Patrick Wardle labeled this vulnerability “Cache Me Outside” and also wrote an in-depth write-up on it.

Quick Look vulnerability

  • Patrick saved the images in two separate encrypted containers. The first container uses VeraCrypt encryption while the other one uses HFS + / APFS encryption.
  • He then accessed the thumbnails of the test images locally.
  • Images are finally extracted using a modified Python script.
  • Quick Look automatically downscaled 1920×1080, the original image resolution, to 336×182. However, the content of the images remains intact.

According to Regula, the data is not automatically removed and even retained when the original files are deleted or the external storage medium is removed.

How can Apple patch “Cache Me Outside”?

Surprisingly, this vulnerability is eight years old and, for some reason, Apple continues to ignore it.

Such minor bugs only serve to benefit law enforcement agencies and unethical hackers.

Thankfully enough, accessing the encrypted cache also requires physical access apart from technical knowledge.

Mac hack

According to Wardle, Apple can patch this vulnerability quite easily.

Firstly, they need to prevent the creation of a preview if a file is in an encrypted container.

Secondly, automatic deletion of the Quick Look cache after ejecting the encrypted hard drive.

How can you keep your Mac secure?

Although Apple patches bugs almost instantly, this bug may remain unpatched for a long time.

If you are the paranoid type, you can delete the cache manually. Simply enter the following command in Terminal to purge it –

$ qlmanage -r cache

Restarting your machine afterward will force macOS to create a new database, which will be free of any previous data.

[Source – wojciechregula.blog]

Leave a Reply