The handy macOS function QuickLook, which creates a quick preview of a file by pressing the spacebar, is quite a security hole.

Security researcher Wojciech Reguła described in detail two weeks ago on his blog and then a few days ago again in this blog that the QuickLook function is quite a security hole.

sqlite

This is because the function generates small preview images for faster display and saves them in an unencrypted database. This is no problem as the data is also freely accessible. However, anyone who now decides to encrypt important documents or photos and uses the software VeraCrypt, for example, is mistaken for being on the secure side. The files themselves are now encrypted, but the preview images remain in the unencrypted database with the thumbnails. And even worse: if you have opened an encrypted folder and then use QuickLook for the first time (no preview image available so far), a fresh preview image will be generated – and yes, saved unencrypted again.

Do you really want your Mac recording the file paths and ‘previews’ thumbnails of the files on any/all USB sticks that you’ve ever inserted into your Mac?

But wait, there is more: This process is also saved for all connected data volumes. So if you have a USB stick with embarrassing party pictures connected and watched them with QuickLook, the reference to the stick and all preview pictures still exist on your Mac. The whole thing is said to have been known for years and is apparently also used in forensics. Because what is more practical than a list with a recording of all data volumes ever connected, including all preview images? Exactly.

If you want to turn off this behavior, you only have one option: don’t use QuickLook anymore, so that no preview images are generated. All accumulated data can be deleted with this terminal command:

[cc]qlmanage -r cache”[/cc]

If you don’t want your Mac to list attached media, you’ll need to clear the QuickLook cache after each media. If you encrypted your hard disk with FileVault, the data is already secure, because the hard disk is encrypted. But if your Mac is running, it won’t help you either, because the disk is decrypted during startup and the thumbnails are clearly visible.

It is unbelievable, however, that there are also records of all data volumes ever connected. You really carry around a diary for the secret service. Read the complete report from Wojciech Reguła, it is very informative.

Close