There is a cool feature in macOS that most users love to turn to whenever possible. Introduced with OS X 10.5 Leopard, Quick Look allows users to preview a file without the need to open it in an application. By selecting any given file and then pressing the space bar, users will see a preview of the content. Quick Look can be used to view photos, files, or a folder without having to open them, for items in seen in Finder, or with email and messages. There is a problem, though: each time it is used it leaks sensitive data, even if the content is encrypted, according to security experts.
How Quick Look Leaks Your Data
Every time a user presses the Space bar to preview a file, it caches the content and adds it to a thumbnail database. These miniatures of the original file and their original path are stored in the /var/folders/…/C/com.apple.QuickLook.thumbnailcache/ directory as security experts Wojciech Reguła and Patrick Wardle discovered.
These security experts have tested the security flaw on the latest available version of macOS and demonstrated that it affects both regular and encrypted APFS containers. As it turns out, this Quick Look cache issue was widely known, especially in forensics circles, because it reveals enough data to determine the contents of the previewed documents, especially in the case of images.
Another interesting discovery was that macOS leaks data by caching the content of removable drives, too. In a post on a well-known forum, a user asked whether USB drives left any trace on iMac running macOS Sierra. The answer was surprising: by opening a folder on the external drive, macOS creates thumbnails of its contents “depending on the file type and the installed QuickLook plugins”.
How to Address This Data Leak
You may already know that when it comes to caches we recommend using a Mac optimization app to remove them. However, these apps are helpless when it comes to the Quick Look cache, even for the most powerful ones such as CleanMyMac and OnyX.
This leaves only one option: manually removing this cache and stopping macOS from leaking your data, even if you do think that you have nothing to hide. To fully remove the Quick Look cache, follow the steps below:
- Open Terminal.
- Copy and paste the following command:
qlmanage -r cache
macOS will remove the Quick Look cache files without the need for a reboot. Now you can use Quick Look as many times as you want and then, at the end of your session, just run the Terminal command and your data will remain protected from prying eyes.
Best Mac Optimization Software of 2018