macOS 'Quick Look' Bug Can Leak Encrypted Data Through Thumbnail Caches

by

A long-standing bug in macOS's Quick Look feature has the potential to expose sensitive user files like photo thumbnails and the text of documents, even on encrypted drives, according to security researchers.

Details on the Quick Look flaw were shared earlier this month by security researcher Wojciech Regula and over the weekend on security researcher Patrick Wardle's blog (via The Hacker News).

quicklookbug

Image via Wojciech Regula

Quick Look in macOS is a convenient Finder feature that's designed to present a zoomed-in view when you press the space bar on a photo or document that's selected.

To provide this preview functionality, Quick Look creates an unencrypted thumbnail database where thumbnails of files are kept, with the database storing file previews from a Mac's storage and any attached USB drives whenever a folder is opened. These thumbnails, which provide previews of content on an encrypted drive, can be accessed by someone with the technical know how and there's no automatic cache clearing that deletes them. As Regula explains:

It means that all photos that you have previewed using space (or Quicklook cached them independently) are stored in that directory as a miniature and its path. They stay there even if you delete these files or if you have previewed them in encrypted HDD or TrueCrypt/VeraCrypt container.

This is an issue that's existed for at least eight years and concerns have been raised about it in the past, but Apple has made no changes in macOS to address it. "The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion," writes Wardle.

As Wardle points out, this information is valuable in law enforcement investigations, but most users are not going to be happy to learn that their Mac records file paths and thumbnails of documents from every storage device that's been attached to it.

For a forensics investigation or surveillance implant, this information could prove invaluable. Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files...all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed). For users, the question is: "Do you really want your Mac recording the file paths and 'previews' thumbnails of the files on any/all USB sticks that you've ever inserted into your Mac?" Me thinks not...

It's worth noting that if the main drive on the Mac is encrypted, the Quick Look cache that's created is too. Wardle says that data "may be safe" on a machine that's powered off, but on a Mac that's running, even if encrypted containers are unmounted, the caching feature can reveal their contents.

"In other words, the increased security encrypted containers were thought to provide, may be completely undermined by QuickLook," writes Wardle.

Wardle recommends that users concerned about unencrypted data storage clear the Quick Look cache manually whenever a container is unmounted, with instructions for this available on Wardle's website. It's also worth checking out Wardle's site for full details on the Quick Look bug.

Popular Stories

iOS 26

When Will Apple Release iOS 26.2?

Monday December 1, 2025 4:37 pm PST by
We're getting closer to the launch of the final major iOS update of the year, with Apple set to release iOS 26.2 in December. We've had three betas so far and are expecting a fourth beta or a release candidate this week, so a launch could follow as soon as next week. Past Launch Dates Apple's past iOS x.2 updates from the last few years have all happened right around the middle of the...
Read Full Article26 comments
maxresdefault

iPhone Fold: Launch, Pricing, and What to Expect From Apple's Foldable

Monday December 1, 2025 3:00 am PST by
Apple is expected to launch a new foldable iPhone next year, based on multiple rumors and credible sources. The long-awaited device has been rumored for years now, but signs increasingly suggest that 2026 could indeed be the year that Apple releases its first foldable device. Subscribe to the MacRumors YouTube channel for more videos. Below, we've collated an updated set of key details that ...
Read Full Article49 comments
ios 18 to ios 26 upgrade

Apple Pushes iPhone Users Still on iOS 18 to Upgrade to iOS 26

Tuesday December 2, 2025 11:09 am PST by
Apple is encouraging iPhone users who are still running iOS 18 to upgrade to iOS 26 by making the iOS 26 software upgrade option more prominent. Since iOS 26 launched in September, it has been displayed as an optional upgrade at the bottom of the Software Update interface in the Settings app. iOS 18 has been the default operating system option, and users running iOS 18 have seen iOS 18...
Read Full Article273 comments
Sad Siri Feature

Apple AI Chief John Giannandrea Retiring After Siri Delays

Monday December 1, 2025 2:16 pm PST by
Apple AI chief John Giannandrea is stepping down from his position and retiring in spring 2026, Apple announced today. Giannandrea will serve as an advisor between now and 2026, with former Microsoft AI researcher Amar Subramanya set to take over as vice president of AI. Subramanya will report to Apple engineering chief Craig Federighi, and will lead Apple Foundation Models, ML research, and ...
Read Full Article100 comments
Netflix Smaller 4

Netflix Kills Casting From Its Mobile App to Most Modern TVs

Monday December 1, 2025 4:36 am PST by
Netflix has quietly removed the ability to cast content from its mobile apps to most modern TVs and streaming devices, including newer Chromecast models and the Google TV Streamer. The change was first spotted by users on Reddit and confirmed in an updated Netflix support page (via Android Authority), which now states that the streaming service no longer supports casting from mobile devices...
Read Full Article113 comments
Touchscreen MacBook Feature

Here Are the Four MacBooks Apple Is Expected to Launch Next Year

Monday December 1, 2025 5:00 am PST by
2026 could be a bumper year for Apple's Mac lineup, with the company expected to announce as many as four separate MacBook launches. Rumors suggest Apple will court both ends of the consumer spectrum, with more affordable options for students and feature-rich premium lines for users that seek the highest specifications from a laptop. Below is a breakdown of what we're expecting over the next ...
Read Full Article58 comments
iphone 17 cyber

iPhone 17 Demand Is Breaking Apple's Sales Records

Tuesday December 2, 2025 9:44 am PST by
Apple's iPhone 17 lineup is selling well enough that Apple is on track to ship more than 247.4 million total iPhones in 2025, according to a new report from IDC. Total 2025 shipments are forecast to grow 6.1 percent year over year due to iPhone 17 demand and increased sales in China, a major market for Apple. Overall worldwide smartphone shipments across Android and iOS are forecast to...
Read Full Article131 comments
iOS 26

Apple Seeds iOS 26.2 and iPadOS 26.2 Release Candidates to Developers and Public Beta Testers

Wednesday December 3, 2025 10:33 am PST by
Apple today seeded the release candidate versions of upcoming iOS 26.2 and iPadOS 26.2 updates to developers and public beta testers, with the software coming two weeks after Apple seeded the third betas. The release candidates represent the final versions of iOS 26.2 and iPadOS 26.2 that will be provided to the public if no further bugs are found during this final week of testing....
Read Full Article39 comments
Cyber Week Deals 2025

Best Cyber Week Apple Deals Include Big Discounts on AirPods, Apple Watch, and More

Sunday November 30, 2025 7:33 am PST by
Cyber Week is here, and you can find popular Apple products like AirPods, iPad, Apple Watch, and more at all-time low prices. In this article, the majority of the discounts will be found on Amazon. Note: MacRumors is an affiliate partner with some of these vendors. When you click a link and make a purchase, we may receive a small payment, which helps us keep the site running. Specifically,...
Read Full Article13 comments
iOS 26

What to Expect From Apple This December: iOS 26.3 Beta, Replay 2025, and More

Monday December 1, 2025 8:40 am PST by
The calendar has turned to December, and the quieter year-end holiday season is now upon us. Nevertheless, we can still expect a few things from Apple this month. Apple previously announced that iOS 26.2 will be released to the general public in December, and we can expect corresponding updates to be released as well, including iPadOS 26.2, macOS 26.2, watchOS 26.2, tvOS 26.2, and visionOS...
Read Full Article17 comments

Top Rated Comments

luvbug Avatar
luvbug
97 months ago
It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.
Score: 20 Votes (Like | Disagree)
InuNacho Avatar
InuNacho
97 months ago
I’ve known about this for years. I accidently locked a word file and was able to “rescue” it by hitting the space bar.
Great security.
Score: 18 Votes (Like | Disagree)
magicschoolbus Avatar
magicschoolbus
97 months ago
This is an issue that's existed for at least eight years and concerns have been raised about it ('http://osxdaily.com/2010/07/25/filevault-and-quicklook-leak-some-information-from-encrypted-volumes/') in the past, but Apple has made no changes in macOS to address it. "The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion," writes Wardle.
Apple does not care about the Mac. The hardware and this proves it. You guys should seriously consider naming this site iosrumors.com (that's not a shot at you either.. Apple is all about iOS)
Score: 17 Votes (Like | Disagree)
Acidsplat Avatar
Acidsplat
97 months ago
So, you get the prize for first whiner! I guess assigning blame is more important to you than addressing the problem in the first person using readily available information.
Ordinary people wouldn’t know to input a terminal command, or even know that Quick Look is leaking their data.

The bug lies with Apple’s code. How is this the fault of the consumer? The consumer is certainly not the party to blame in this situation.
Score: 12 Votes (Like | Disagree)
Acidsplat Avatar
Acidsplat
97 months ago
It's a one line command (in terminal) to clear the cache. You need to be an "admin" user, but you don't need to be root:

qlmanage -r cache

Of course, someone here will figure out a reason to whine about having to do this.
You shouldn't have to do this because of a bug in the software left in from literally years ago.
Score: 11 Votes (Like | Disagree)
AL1630 Avatar
AL1630
97 months ago
Hmm. It seems like these flaws are becoming more common lately. Not sure if that's just me paying more attention or if the amount of flaws is actually increasing.
Score: 8 Votes (Like | Disagree)
Read All Comments