macOS' Quick Look Cache May Leak Encrypted Data
21.6.2018 securityweek Apple
The Quick Look mechanism on macOS, which allows users to check file contents without actually opening the files, may leak information on cached files, even if they reside on encrypted drives or if the files have been deleted.
According to Apple, “Quick Look enables apps like Finder and Mail to display thumbnail images and full-size previews of Keynote, Numbers, Pages, and PDF documents, as well as images and other types of files.”
Quick Look registers the com.apple.quicklook.ThumbnailsAgent XPC service, which creates a thumbnails database and stores it in the /var/folders/.../C/com.apple.QuickLook.thumbnailcache/ directory.
The issue, discovered by Wojciech Reguła, is that the service creates thumbnails of all supported files located in an accessed folder, regardless of whether the folder resides on an internal or external drive. It does the same for macOS Encrypted HFS+/APFS drives as well.
Because of that, the SQLite database in the com.apple.QuickLook.thumbnailcache/ directory contains previews, metadata and file paths of photos and other files in the accessed folders, depending on the file type and the installed Quick Look plugins.
Said thumbnails, however, are not created only for the files a user has chosen to preview with Quick Look (which automatically results in the service caching file information), but for other files residing in the accessed folders as well.
While the created thumbnails for previewed files are larger, smaller thumbnails are created for the other files, but even those could be used to leak content, Objective-See’s Patrick Wardle suggests.
To demonstrate the bug, Reguła created a VeraCrypt container, mounted it, and saved an image in it. He also cached it in Quick Look by pressing space on it. Next, he placed a second photo in macOS Encrypted HFS+/APFS drive.
With both images cached, information about the full paths and the file names is stored in the aforementioned database, and the researcher used a modified script to exfiltrate the thumbnails.data file and retrieve the miniatures.
“This technique is known and helps a lot in forensics, but I honestly didn't know about this before. It was the big surprise for me to see that even files stored in encrypted containers may be that cached. Have it on mind when you will be using space to preview photos,” Reguła notes.
According to Wardle, this behavior “can be replicated in a password-protected encrypted AFPS container.” When creating a file in the container, a thumbnail of the file is created and cached even if the user simply views the container in the UI, without previewing the file, he explains.
Even if the encrypted volume is unmounted, the thumbnail of the file continues to be stored in the temporary directory, meaning that it can be extracted. The cached thumbnails are created for files on USB drives that users insert into their Macs as well.
“Depending on the size of the 'preview' images generated for Finder (and other variables, such as the size of the font used in the file), the contents of the even documents may be discernible from the thumbnail alone,” Wardle notes.
With the main drive encrypted, the cached data remains safe on a powered off system, but it can be revealed to an attacker or law enforcement accessing the system, even if the password-protected encrypted containers have been unmounted.
However, it is possible to clear the Quick Look cache when unmounting a container, using the qlmanage utility. The qlmanage -r cache command should immediately purge the cache, without requiring a system reboot.