The "quick look" of macOS caches up to the file of encrypted drive, the data is permanently stored and can be read at any time
Various data such as photos and PDF stored in the computer will be able to check the contents only by opening with a dedicated application. However, with "Mac OS" which is the OS of MacBook and iMac, there is a function called "quick look" that allows you to check the contents simply by mouse over and do the specified action without opening the file. This is a function realized by creating a thumbnail image of data, but this quick look can leak highly confidential data stored in a password protected drive or an encrypted volume It is pointed out that there is sex.
Objective-See
https://objective-see.com/blog/blog_0x30.html
Reminder: macOS still leaks secrets stored on encrypted drives | Ars Technica
https://arstechnica.com/information-technology/2018/06/reminder-macos-still-leaks-secrets-stored-on-encrypted-drives/
A quick look of macOS is a function that exists since the "Mac OS X" era before renaming to macOS, and it can easily check the contents of data with thumbnails without having to open a special application. You can understand what kind of function of Quick Look is, by seeing the following movie in one shot.
Quick Look - Mac OS X - YouTube
This "Quick Look" function is realized by automatically generating thumbnail images of files and caching them. Security vulnerability of this quick lookDigita SecurityWith security expert Patrick Wardle working atWojciech RegułaHe pointed out. According to two people, Quick Look automatically creates thumbnail images and caches the data, but how to delete the original data, disconnect the USB drive or HDD etc. where the original data was saved from the Mac Even though, the cache is permanently recorded on the Mac. In other words, even if data is saved on an encrypted drive, if thumbnail images are saved on the Mac even if they are viewed with a quick look, it is pointed out that if you check this, you can easily sniff the contents It is. Note that only the person who can physically access the terminal or the attacker who infected the terminal with malware can access the cache automatically generated by Quicklook.
Reguła browses the data saved in the Mac for verification with a quick look, then browses the data stored on the encrypted HDD with a quick look. After checking the thumbnails created by Quick Look after disconnecting HDD and Mac, both images were able to be browsed normally. If the photo resolution of the original data is 1920 × 1080, the resolution of the generated thumbnail seems to be 336 × 182, which is rather coarse as picture data, but the content can be confirmed firmly It is a thing of level. " The cache created automatically by QuickLook is stored permanently on the SQLite database.
Below is the image of resolution 336 × 182
The easiest way to create a persistent cache on the Mac is to use the quick look feature, but there are other ways to save the cache automatically even if you display the file on the Finder's window It will be. Also, it seems that thumbnail images are automatically cached for all the photo data saved on the desktop. Since the cache remains even if the original data is deleted or the connection with the drive is lost, Regula recommends that you delete the cache manually every time you disconnect an encrypted drive or the like.
To delete the cache on the SQLite database, open the command line and execute "$ rm -rf $ TMPDIR /../ C / com.apple.QuickLook.thumbnailcache", then restart the terminal It is OK.
Related Posts:
