macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.

Duh!

The problem is that these cached thumbnails are stored on non-encrypted hard drives

Unless, of course, your system drive is encrypted. Which is one of the first suggestions macOS will give you when you boot your mac for the first time. If you are worried about this kind of thins chances are your system drive will be encrypted and this chache stuff won't be a problem at all.

Re:Wait. What?

[Pieroxy]

> these cached thumbnails are stored on non-
> encrypted hard drives, ... content stored on
> encrypted containers.

This does not make sense. If the hard drives are encrypted by FileVault; the storage location for these thumbnails would be encrypted too. Where else is this cache supposed to live? I'm pretty sure that Apple does not add an extra, secret, non-encrypted drive to everyone's Macs so as to cache these silly little images. And as if the summary weren't bad enough, it gets worse when you read the article. QuickLook isn't new, as they claim. It was introduced as part of Leopard, more than a decade ago. And a quick check on my CLI shows that TEMPDIR is very much part of my encrypted root volume. I'm thinking these people are not the "macOS security experts" they claim to be; and msmash failed as an editor in not properly vetting the article he chose to post.

I guess the issue is when you have your laptop drive not encrypted and you connect an encrypted USB-stick on it. It then creates thumbnails of what's on your USB stick and store them on your unencrypted system drive.

No need to be an expert. Common sense is enough.

Re:Does Windows Explorer do it differently, or Lin

[EvilSS]

I can understand the security concern about thumbnail data especially encrypted data. But for other systems with the feature Including Windows and Some Linux file managers, Do they handle it differently?

On Windows it uses thumbs.db, a hidden system file located in each folder that has thumbnails cached (not all do if they don't contain documents or images that get preview thumbsnails). You can also turn thumbnail caching off in explorer settings or via group policy.

Re:Does Windows Explorer do it differently, or Lin

[Actually,+I+do+RTFA]

Windows creates the thumbnails in a subdirectory of the original, so it should also be encrypted (or maybe it doesn't anymore.) And I believe the index is per drive. At any rate, there is a checkbox for "turn off thumbnails" and "turn off indexing" on a drive.

Re:Here's a pwned 133t h4x0r link to the OS X kern

[jeremyp]

Which has nothing to do with this. The thumbnails are not created by the kernel but by the Finder, which is not open source.