Privacy is a huge concern for most of us, but even if you encrypt all of your data, your Mac might still be leaking important information, via QuickLook’s cache.
In this article, I’m going to explore this worrying security loophole – what it is, why it happens, and what you can do to ensure QuickLook isn’t exposing your encrypted data.
Is QuickLook undermining your encryption?
QuickLook is a handy macOS feature that lets you preview a file’s contents, without actually opening that file. To see this feature in action, open a Finder window, select any file, and then press the ‘Space’ bar. The QuickLook preview will vary, depending on the type of file you select, for example if you select a Pages document then you’ll see its contents formatted as plain text, and if you select an image then you’ll get a thumbnail preview.
Every time you preview a file, Quicklook creates a thumbnail, which is then stored in a database inside your Mac’s com.apple.QuickLook.thumbnailcache/ directory, even if the original file is located on an encrypted disk image, or an encrypted drive. In fact, depending on your settings, as soon as you open a directory QuickLook may automatically generate and cache a thumbnail for every single file in that directory, even for files that you never preview! This information remains on your Mac, even if you delete the original file, or if the file was only ever stored on an external device that you temporarily attached to your Mac, such as a USB drive.
This cache is buried deep in your Mac’s /var/folders, but it isn’t encrypted or protected by root permissions, so if someone knows where to find this file, then they could extract all of your thumbnail previews, plus other information such as file names, metadata, and file paths.
While we tend to associate thumbnails with image files, QuickLook generates thumbnails for other file types, including text documents, so this security threat isn’t restricted to images.
How can I stop QuickLook from leaking my encrypted data?
If you’re concerned about QuickLook exposing your data, then there’s several ways that you can empty, and even suspend its cache.
-
Delete QuickLook’s thumbnail directory
Although this directory will always be recreated automatically, deleting it will wipe the slate clean:
- Open a new Finder window and navigate to ‘Applications > Utilities > Terminal.’
- Enter the following command into the Terminal window:
$ rm -rf $TMPDIR/../C/com.apple.QuickLook.thumbnailcache
- Press the ‘Enter’ key on your keyboard.
2. Clear the QuickLook cache
You can also periodically delete the QuickLook cache, using macOS’ built-in qlmanage tool.
Open a Terminal window, and then run the following command:
ls -lart $TMPDIR/../C/com.apple.QuickLook.thumbnailcache/
Followed by:
qlmanage -r cache
If the cache is cleared successfully, then you’ll see a ‘resetting quicklookd’ message.
3. Disable the QuickLook cache
Some users have reported being able to disable the QuickLook cache, by running the following command in the Terminal:
qlmanage -r disablecache
The downside is that once the cache is disabled, QuickLook will always need to generate its thumbnails and previews from scratch, which can cause lag.
4. Try Aquiline Check
If you’re not familiar with the Terminal, then Aquiline Check is a free app that can clear and disable the cache – and all without a Terminal command in sight!
- Download Aquiline Check from the Electric Light Company website.
- Unzip the download, and launch the Aquiline Check application.
- To empty the cache, simply click the ‘Clear cache’ button.
- To check that the cache has been emptied successfully, click the ‘Check’ button; the ‘Cache size’ should show ‘0 bytes.’