How-To Mac Apps

macOS’ QuickLook is leaking your encrypted data (here’s what you can do about it)


Privacy is a huge concern for most of us, but even if you encrypt all of your data, your Mac might still be leaking important information, via QuickLook’s cache.

In this article, I’m going to explore this worrying security loophole – what it is, why it happens, and what you can do to ensure QuickLook isn’t exposing your encrypted data.


Is QuickLook undermining your encryption?

QuickLook is a handy macOS feature that lets you preview a file’s contents, without actually opening that file. To see this feature in action, open a Finder window, select any file, and then press the ‘Space’ bar. The QuickLook preview will vary, depending on the type of file you select, for example if you select a Pages document then you’ll see its contents formatted as plain text, and if you select an image then you’ll get a thumbnail preview.

Every time you preview a file, Quicklook creates a thumbnail, which is then stored in a database inside your Mac’s com.apple.QuickLook.thumbnailcache/ directory, even if the original file is located on an encrypted disk image, or an encrypted drive. In fact, depending on your settings, as soon as you open a directory QuickLook may automatically generate and cache a thumbnail for every single file in that directory, even for files that you never preview! This information remains on your Mac, even if you delete the original file, or if the file was only ever stored on an external device that you temporarily attached to your Mac, such as a USB drive.

This cache is buried deep in your Mac’s /var/folders, but it isn’t encrypted or protected by root permissions, so if someone knows where to find this file, then they could extract all of your thumbnail previews, plus other information such as file names, metadata, and file paths.

While we tend to associate thumbnails with image files, QuickLook generates thumbnails for other file types, including text documents, so this security threat isn’t restricted to images.

How can I stop QuickLook from leaking my encrypted data?

If you’re concerned about QuickLook exposing your data, then there’s several ways that you can empty, and even suspend its cache.

  1. Delete QuickLook’s thumbnail directory

Although this directory will always be recreated automatically, deleting it will wipe the slate clean:

  • Open a new Finder window and navigate to ‘Applications > Utilities > Terminal.’
  • Enter the following command into the Terminal window:

$ rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache

  • Press the ‘Enter’ key on your keyboard.

2. Clear the QuickLook cache

You can also periodically delete the QuickLook cache, using macOS’ built-in qlmanage tool.

Open a Terminal window, and then run the following command:

ls -lart $TMPDIR/../C/com.apple.QuickLook.thumbnailcache/

Followed by:

qlmanage -r cache

If the cache is cleared successfully, then you’ll see a ‘resetting quicklookd’ message.

3. Disable the QuickLook cache

Some users have reported being able to disable the QuickLook cache, by running the following command in the Terminal:

qlmanage -r disablecache

The downside is that once the cache is disabled, QuickLook will always need to generate its thumbnails and previews from scratch, which can cause lag.

4. Try Aquiline Check

If you’re not familiar with the Terminal, then Aquiline Check is a free app that can clear and disable the cache – and all without a Terminal command in sight!

  • Download Aquiline Check from the Electric Light Company website.
  • Unzip the download, and launch the Aquiline Check application.
  • To empty the cache, simply click the ‘Clear cache’ button.

  • To check that the cache has been emptied successfully, click the ‘Check’ button; the ‘Cache size’ should show ‘0 bytes.’

About the author

Chris

Follow me here: |

1 Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • Perhaps a naive question but how would the perp access the directory to look if its not someone with access already to your account an other supervisor on the same machine in which case you are compromised anyway. Otherwise would it not involve someone physically getting hold of your hard drive and carrying out a large time consuming amount of work on the remote off chance that the quicklook preview might have something of interest.

Related Posts