An 8-year old bug discovered on macOS: File encryption failed

Because of Quick Look’s vulnerabilities, all encryptions on macOS exist in name only.

macOS has a very practical function, namely Quick Look. You select a file or an image, press the Space key, and you will be able to preview its details. This function, however, was been reported to have a bug due to some issues on preview repository, which has led to great possibility of leaking the user’s encrypted files.

Wojciech Regula, a security researcher, firstly found this bug and published it on The Hacker News. When Quick Look’s function is being used on macOS, thumbnails of files or images are generated and cached in particular section of the disk. When the user wakes them with Quick Look, the system will use these thumbnails for presentation.

But Regula found that Apple somehow didn’t store the thumbnails in Mac’s encrypted disk, instead, they are cached in open sections. It means if we set a file as encrypted, the file will be protected of course, but its caches stored by Quick Look will be completely exposed, making no difference from being unencrypted.

To prove his judgement, Regular created two folders, and encrypted one with professional software and the other with macOS’ built-in driver HFS + / APFS. After running a simple command, he easily found the directory and caches of the latter.

Regular said this bug exists not only on the files stored in system disk, but also USB drivers once they are connected to Mac.

Patrick Wardle, a digital security researcher, expressed that this issue has been there for at least eight years, it is not a newly-occur. But it shouldn’t be difficult for Apple to fix it. All users need to do is to disable Quick Look for files.