Skip to main content

Macs leak sensitive data from encrypted files, even after they’re deleted

A background feature in MacOS called Quick Look is leaking sensitive data even if the content is locked behind password-protected encryption, security experts claim. Introduced in MacOS 10.5 Leopard, Apple designed Quick Look to give you a glimpse into a file without manually opening it with an app. But for the sake of convenience, Quick Look serves up a dish of potential privacy concerns. 

Used by the Finder app in MacOS, Quick Look stores a thumbnail containing the file’s full name, path, and a miniature image of what is stored inside the file, even if it’s password-protected and encrypted. This cached data also isn’t secured: It’s stored openly without passwords or encryption in the user’s TMPDIR directory and accessible to any person or application. The data even remains on the Mac after you reboot the device, delete the original files, and/or disconnect an external storage device. 

Image used with permission by copyright holder

That said, if someone gains physical access to your Mac device, they can view the contents of any stored file. That makes Quick Look a highly useful tool for forensic investigations, surveillance implants, and for nosy significant others who simply want a quick way to snoop through your files. 

Recommended Videos

“Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files … all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed),” says chief research officer Patrick Wardle of Digital Security. “For users, the question is: Do you really want your Mac recording the file paths and ‘previews’ thumbnails of the files on any/all USB sticks that you’ve ever inserted into your Mac? Me thinks not.” 

Please enable Javascript to view this content

The blog builds on a report issued by Wojciech Regula from SecuRing in early June who pointed out that the cached thumbnails remain on a Mac even if the originating files were deleted, previewed on an encrypted drive, or previewed using a TrueCrypt/VeraCrypt container. 

“If you open a folder with files residing on an external drive, thumbnails will be created on the boot drive depending on the file type and the installed Quick Look plugins,” Wardle adds. “The previews, metadata and file paths are stored in SQLite database files deep inside the var folder. The path to this folder contains arbitrary folder names. With the proper commands the preview pics can be extracted from the database.” 

Currently, Mac owners can manually clear the Quick Look cache using the “qlmanage” command. In the latest version of MacOS High Sierra, simply navigate to Launcher > Other > Terminal and type “qlmanage -r cache” at the prompt without the quotes. After that, reboot the Mac and the thumbnails should be gone. 

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
The hidden Quick Actions menu has changed how I use my Mac
A comparison of two images in macOS Ventura. The image on the left is the original, while the image on the right has had its background removed using a Quick Action.

The more you use Apple’s macOS operating system, the more you come across amazing little tools and features that you’ve somehow never heard of, yet which can totally blow your mind. I’ve been using Macs for over a decade, yet I just stumbled upon a killer feature I never knew existed -- and I absolutely love it.

That feature is called Quick Actions, and you’ll need macOS Mojave or later to give it a try. The name is pretty self-explanatory -- they’re a collection of lightweight tools and tweaks that can save you oodles of time. The reason I never knew about them, though, is they’re hidden away in the right-click menu. I use keyboard shortcuts all the time, so rarely open this menu. But Quick Actions are worth breaking your habits for.
What are Quick Actions?

Read more
How macOS Sonoma could fix widgets — or make them even worse
Apple's 15-inch MacBook Air on a desk, with macOS Sonoma running on its display.

At its Worldwide Developers Conference (WWDC) earlier this year, Apple revealed that interactive widgets would be coming to macOS Sonoma. That probably sounds like a tiny new feature, and sure, it’s not as earth-shattering as the Vision Pro announcement. But it could turn out to be one of the most divisive new features in the Mac operating system.

In macOS Sonoma, you’ll be able to plant widgets on your desktop instead of hiding them in the Notification Center. Many widgets will be interactive, letting you tick off to-do list items without opening the widget’s app, for example. And you’ll be able to run iOS widgets right on your desktop, even if that app isn’t installed on your Mac. It’s a pretty comprehensive overhaul. Depending on how well these interactive widgets work, though, we could be left with a bunch of annoying distractions or a set of super-helpful timesavers. The way Apple handles them is going to be vital.
We've been here before

Read more
This critical exploit could let hackers bypass your Mac’s defenses
A hacker typing on an Apple MacBook laptop while holding a phone. Both devices show code on their screens.

Microsoft has discovered a critical exploit in macOS that could grant hackers easy access to your Mac’s most important data. Dubbed ‘Migraine,’ it shows why it’s vital to update your Mac as soon as possible.

Migraine is so damaging because it can bypass Apple’s System Integrity Protection, or SIP for short. SIP is enabled by default on modern Macs and works by sandboxing sensitive parts of the computer from outside meddling. Only processes that are signed by Apple (or those with special privileges, like Apple installers) are allowed to alter something guarded by SIP.

Read more