A security researcher has reported about a critical flaw in one of the popular Mac OS apps, Quick Look. This app has a critical vulnerability through which it keeps a copy of your encrypted data, even after deletion.
Quick Look Bug Leaks Your Encrypted Data Files
Security researcher Wojciech Reguła pointed out a critical flaw in the popular Mac OS app Quick Look. This vulnerability can potentially leak your encrypted data as it keeps a copy of everything you view through this app. The cached versions of files you viewed will remain there even after deletion. Thus, any of your images (including any private files) can be retrieved by simply accessing Quick Look registry.
As Wojciech Reguła explained in his blog post,
“I found out that Quicklook registers com.apple.quicklook.ThumbnailsAgent XPC service that is responsible for creating thumbnails database and storing it in /var/folders/…/C/com.apple.QuickLook.thumbnailcache/ directory.
It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.”
He even gave a proof of concept to show how this app retains your data.
Wojciech Reguła is an iOS apps security researcher and a penetration tester at Securing. Though, according to him, he never noticed this flaw in the app. Yet, he is not the first to point out towards a Quick Look vulnerability.
Previously, Mari DeGrazia, in 2016, highlighted how Quick Look stores data related to thumbnails into an index.sqlite file located under /private/var/folders/<random>/<random>/C/com.apple.QuickLook.thumbnailcache. Likewise, Sara Newcomer (in 2014), and Lodrina Cherne (in 2018) also described how Quick Look can store your data.
Another Mac OS Vulnerability Reported In One Week
On June 12, the news about a critical Mac OS vulnerability surfaced online, which pointed out to a code-signing flaw. This flaw allowed hackers to bypass Apple signature feature, making unsigned codes look signed by Apple. The vulnerability provided a convenient way for hackers to throw in malicious codes.
Now, a week later, another vulnerability discovered in Mac OS. That too, in its Quick Look feature, which already has a legacy of vulnerabilities reported in the previous years. Indeed, if Apple wants to keep marketing itself as a “privacy freak” company, it should get rid of all such bugs that violate customer’s privacy as soon as possible.
Let us know your thoughts in the comments below.