Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives


Apple macOS Bug Reveals Cache of Sensitive Data from Encrypted Drives

Security researchers are warning of almost a decade old issue with one of the Apple’s macOS feature which was designed for users’ convenience but is potentially exposing the contents of files stored on password-protected encrypted drives.

Earlier this month, security researcher Wojciech Regula from SecuRing published a blog post, about the “Quick Look” feature in macOS that helps users preview photos, documents files, or a folder without opening them.

Regula explained that Quick Look feature generates thumbnails for each file/folder, giving users a convenient way to evaluate files before they open them.

However, these cached thumbnails are stored on the computer’s non-encrypted hard drive, at a known and unprotected location, even if those files/folders belong to an encrypted container, eventually revealing some of the content stored on encrypted drives.

Patrick Wardle, chief research officer at Digital Security, equally shared the concern, saying that the issue has long been known for at least eight years, “however the fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion.”

To prove his claim, Regula created two new encrypted containers, one using VeraCrypt software and the second with macOS Encrypted HFS+/APFS drives, and then saved a photo in each of them.

As explained in his post, after running a simple command on his system, Regula was able to find the path and cached files for both images left outside the encrypted containers.

“It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path,” Regula said.

In a separate blog post, Wardle demonstrated that macOS behaves same for the password-protected encrypted AFPS containers, eventually exposing even encrypted volumes to potential snooping.

“If we unmount the encrypted volume, the thumbnails of the file are (as previously mentioned) still stored in the user’s temporary directory, and thus can be extracted,” Wardle said.

“If an attacker (or law enforcement) has access to the running system, even if the password-protected encrypted containers are unmounted (as thus their contents ‘safe’), this caching ‘feature’ can reveal their contents.”

Wardle also noted that if you connect a USB drive with your Mac computer, the system will create thumbnails of files residing on the external drive and store them on its boot drive.

Wardle believes it would be pretty easy for Apple to resolve this issue by either not generating a preview if the file is within an encrypted container, or deleting the cache when a volume is unmounted.

Until and unless Apple resolves this issue in future, Wardles advises users to manually delete the QuickLook cache when they unmount an encrypted container.

About the author

cyberonesol administrator

Cyber One Solutions is a Managed Security and IT Services Provider headquartered in Houston Texas. Since our inception, Cyber One Solutions has helped businesses of all sizes turn their IT into an unfair competitive advantage. We've been helping companies and organizations alike tackle their complex IT challenges through our unique approach to comprehensive technology management and consultancy services, as well as a commitment to excellence in customer service. We are one of the nation's leading Managed Service Providers with a deep bench o certified technical engineers and IT support staff ready to provide technology management and consultancy services to help businesses continue to grow and thrive.

You must be logged in to post a comment.

%d bloggers like this: