“Bug” in Quick Look can expose files even on encrypted disks

Among the many useful features and features of macOS, perhaps none of them are as used and well liked as the Quick Look yes, i mean quick viewing tool that goes into action when you press the space bar when selecting a file in the Finder. However, the time-saving feature may be hiding a card in the sleeve that is not positive.

Security researcher Wojciech Regula recently wrote an article for the website of developer Objective-See detailing the discovery of a “bug” in the Quick Look that can give access to encrypted files to potential invaders.

The whole thing happens because the tool works with cache processes to work; that is, every time you open a folder in the Finder, Quick Look will silently scan the contents of each file it contains to display a preview of the desired file at the exact moment you press the space bar. When that happens, this snapshot (the name given to the file cache version) saved in a separate, unprotected folder, next to the address of the original file.

Why would that be worrying, then? Well, let's say you have a separate partition on your Mac, encrypted, where your most important / sensitive files are kept. When activating Quick Look for one of them, a preview of its content automatically goes to the unprotected folder in another area of ​​the system, allowing potential attackers to access it without having to go through the encryption barrier. The same goes for external HDDs or flash drives protected with passwords or the like.

To prove his discovery, Regula took images of Luke Skywalker and Darth Vader and saved them in different locations, one on a disk encrypted by the VeraCrypt service and the other on an HFS + disk encrypted by macOS itself. When viewing the images through Quick Look, a preview of both was immediately saved in the tool's cache folder, being easily accessible by anyone in control of the computer (physical or remote).

It is worth noting that Quick Look does not save a copy of the file in question: while the original images of the “Star Wars” characters saved by Regula had a resolution of 1920 × 1080 pixels, the snapshots recovered from the tool's folder were only 336 × 182 pixels still, more than enough to take a look at the contents of the files.

The bug can be found in all versions of macOS since the genesis of Quick Look, and Apple did not comment on the case if it did, however, it would not be difficult to imagine that the company would classify the behavior as normal and that users particularly concerned with the security of your files should encrypt your main disk (and in this case, even Quick Look's own would, in theory, be protected).

Still, for users concerned about a potential peek of intruders, Objective-See developer Patrick Wardle posted in the same article as Regula a short tutorial to clear the Quick Look cache, just search the page for the qlmanage command and follow the instructions. And then no longer use the tool, of course.

via Cult of Mac