A bug in macOS can expose the contents of a user’s files — including document text and photo thumbnails — even if the drive is encrypted.
Security researcher Wojciech Regula found that the “Quick Look” feature in macOS, which takes a snapshot of a file’s contents and the full file path without the user having to open each file, stores that snapshot data in an unprotected location on the computer’s hard drive.
Regula, a security specialist, wrote up details about the macOS data leak issue earlier this month.
“It means that all photos that you have previewed … are stored in that directory as a miniature and its path,” Regula wrote. They stay there even if you delete the files, he said.
Patrick Wardle, chief research officer at Digita Security, built on Regula’s work in his own blog post, published Monday, noting that the bug is triggered every time a user opens a folder.
The bug exposes even encrypted volumes to potential snooping.
“If we unmount the encrypted volume, the thumbnails of the file are … still stored in the user’s temporary directory, and thus can be extracted,” said Wardle.
He explained that the bug is an issue for anyone using encrypted volumes. If a laptop is stolen or seized by law enforcement, but unmounted and considered safe, the Quick Look cache can still reveal the contents of files, if the thumbnail is large enough.
“Basically, this makes using encrypted containers pointless,” he said.
During a conversation on Sunday, Wardle also found that the Quick Look bug also affected USB drives that had…