Unbeknownst to many people, a macOS feature that caches thumbnail images of files can leak highly sensitive data stored on password-protected drives and encrypted volumes, security experts said Monday.
The automatically generated caches can be viewed only by someone who has physical access to a Mac or infects the Mac with malware, and the behavior has existed on Macs for almost a decade.
For a forensics investigation or surveillance implant, this information could prove invaluable. Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files…all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed).
For users, the question is: “Do you really want your Mac recording the file paths and ‘previews’ thumbnails of the files on any/all USB sticks that you’ve ever inserted into your Mac?” Me thinks not…
As the researchers note, the caching may cause there to be a permanent record of every drive that connects to a Mac. It also creates a thumbnail image that can leak key details about many of the images stored on the drives, as well as password-protected folders or encrypted volumes. The thumbnails will live on in an SQLite database stored indefinitely in the macOS file system.
The most common way the caching is triggered is when people use a macOS feature known as Quick Look to view the contents of a file without the use of the custom app normally required to open the file. Each time someone uses Quick Look to view a photo or file, macOS stores a corresponding thumbnail that can provide a surprising amount of detail, including the full name of files and file paths and miniature images showing some of the content. Another way to trigger the caching is to view a file in the normal Finder window when it’s set to show large thumbnails. All photos stored in the desktop folder are also automatically cached as thumbnails.
The thumbnails remain even when the original file is deleted or the drive is disconnected or a volume is unmounted. Wardle and Reguła recommend people manually delete the folder that stores the thumbnails each time they disconnect a sensitive drive or volume. The commands: rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache. Then sudo reboot. Another option is to execute the ‘qlmanage -r cache’ command, which appears to purge the cache without requiring a reboot. Apple representatives didn’t respond to an email seeking comment for this post.
A key strategy for securing computers is carefully controlling what data they’re allowed to store or have access to. This strategy can be undermined when macOS automatically logs the names of drives that have connected in the past and stores thumbnails of files the drives store. “This technique is known and helps a lot in forensics,” Reguła wrote, “but I honestly didn’t know about this before.”