Slashdot Mirror

← Back to Stories (view on slashdot.org)

macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to macOS security experts Wojciech Regula and Patrick Wardle. From a report: The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers. On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer. Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.

3 of 140 comments (clear)

  1. Re:Wait. What? by Pieroxy · · Score: 5, Informative

    > these cached thumbnails are stored on non-
    > encrypted hard drives, ... content stored on
    > encrypted containers.

    This does not make sense. If the hard drives are encrypted by FileVault; the storage location for these thumbnails would be encrypted too. Where else is this cache supposed to live? I'm pretty sure that Apple does not add an extra, secret, non-encrypted drive to everyone's Macs so as to cache these silly little images. And as if the summary weren't bad enough, it gets worse when you read the article. QuickLook isn't new, as they claim. It was introduced as part of Leopard, more than a decade ago. And a quick check on my CLI shows that TEMPDIR is very much part of my encrypted root volume. I'm thinking these people are not the "macOS security experts" they claim to be; and msmash failed as an editor in not properly vetting the article he chose to post.

    I guess the issue is when you have your laptop drive not encrypted and you connect an encrypted USB-stick on it. It then creates thumbnails of what's on your USB stick and store them on your unencrypted system drive.

    No need to be an expert. Common sense is enough.

    --
    Write boring code, not shiny code!
  2. Re:Duh! by I'm+New+Around+Here · · Score: 5, Insightful

    and then when it crashes and you can't slave it into another system to get data from it, you're hosed.

    --
    If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
  3. Re:Wait. What? by guruevi · · Score: 5, Interesting

    But that is true for anything. If you plug in an encrypted drive in an insecure system and decrypt it, the encryption doesn't matter. Your memory could be swapped to disk at any point in time regardless of your OS. Hence the need for FDE.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com