macOS Vulnerability Exposes Files on Encrypted Drives

A vulnerability in macOS exposes part of the content stored on encrypted drives, and security researchers say the bug has been known for at least several years.

The Quick Look feature bundled into Apple’s desktop operating system is the culprit, as it generates previews that are then stored on unencrypted drives, regardless of the original location of the file. This means that when Quick Look is triggered, the feature generates a preview of each file, even if from an encrypted drive, and then stores it in a non-encrypted location.

The preview partially exposes the content of the file and can be then accessed by malicious actors to read this information, researches have shown.

Quick Look is a feature that makes it possible for macOS users to quickly preview each file by pressing the space bar. The operating system then opens a pop-up that’s essentially a thumbnail with the essential info, and this image is then stored in a folder at the following path:

No word from Apple just yet

Additionally, Patrick Wardle emphasizes that this bug could also expose the contents of USB drives that are connected to a macOS device, as thumbnails that are generated to preview files are stored in the same location, even after the drive is removed from the computer.

While the vulnerability has been there for many years, security researchers say it’s more worrying that Apple isn’t addressing it, and the simple fact that users don’t know about it could further expose their data.

“The fact that behavior is still present in the latest version of macOS, and (though potentially having serious privacy implications), is not widely known by Mac users, warrants additional discussion,” Wardle noted.

Apple hasn’t released any comments on this macOS bug, and it’s yet known if and when the company could release a patch.