Apple's macOS surreptitiously creates and caches thumbnails for images and other file types stored on password-protected / encrypted containers (hard drives, partitions), according to Wojciech Reguła and Patrick Wardle, two macOS security experts.

The problem is that these cached thumbnails are stored on non-encrypted hard drives, in a known location and can be easily retrieved by malware or forensics tools, revealing some of the content stored on encrypted containers.

How are these thumbnails created

On macOS, these thumbnails are created by Finder and QuickLook. Finder is the default macOS file explorer app, similar to Windows Explorer.

Whenever a user navigates to a new folder, Finder automatically loads icons for the files located in those folders. For images, these icons are gradually replaced by thumbnails that show a preview of the image at a small scale.

But in a recent macOS version, Apple has added a new feature to Finder called QuickLook. This feature allows users to hold down the Space key while having a file selected and view an image-like preview of the document's content.

Apple devs created this feature to allow users to preview files with similar names and determine which one they want to open.

Under the hood, these QuickLook previews are nothing more than images, similar to the thumbnails Finder creates for photos. Both types of thumbnails are created and stored in the same location, at:

$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/

"Leak" known for years

Users using encrypted containers to safeguard files from intrusive eyes may be unaware that they might be leaking information via the thumbnail cache or via the QuickLook functionality.

According to Wardle, this "leak" has been known about for at least eight years and has been a professional secret known by many forensics experts [1, 2, 3].

However, with political regimes around the world cracking down on dissident voices with top-of-the-line tech and increased brutality, both Reguła and Wardle have now published blog posts detailing this mechanism in the hopes of alerting users about the issue in order to take preemptive measures.

Wardle says that by running the following two commands after unmounting an encrypted container, users can delete the thumbnail cache (and reboot the computer), and clear any compromising thumbnails from the non-encrypted section of their OS.