Reminder: macOS still leaks secrets stored on encrypted drives

Enlarge (credit: Wardle and Regula)

Unbeknownst to many people, a macOS feature that caches thumbnail images of files can leak highly sensitive data stored on password-protected drives and encrypted volumes, security experts said Monday.

The automatically generated caches can be viewed only by someone who has physical access to a Mac or infects the Mac with malware, and the behavior has existed on Macs for almost a decade. Still, the caching is triggered with minimal user interaction and causes there to be a permanent record of files even after the original file is deleted or the USB drive or encrypted volume that stored the data is disconnected from the Mac. Patrick Wardle and Wojciech Reguła, who are macOS security experts at Digita Security and SecuRing, respectively, said for many people, it’s unnecessarily risky to store snapshots of files related to passwords or other sensitive matters in an unprotected folder. In a blog post published Monday, they wrote:

For a forensics investigation or surveillance implant, this information could prove invaluable. Imagine having a historic record of the USB devices, files on the devices, and even thumbnails of the files…all stored persistently in an unencrypted database, long after the USB devices have been removed (and perhaps destroyed).

For users, the question is: “Do you really want your Mac recording the file paths and ‘previews’ thumbnails of the files on any/all USB sticks that you’ve ever inserted into your Mac?” Me thinks not…

As the researchers note, the caching may cause there to be a permanent record of every drive that connects to a Mac. It also creates a thumbnail image that can leak key details about many of the images stored on the drives, as well as password-protected folders or encrypted volumes. The thumbnails will live on in an SQLite database stored indefinitely in the macOS file system.