While most system caches on macOS don’t need regular clearing, certain caches, like the Quick Look cache, can create security vulnerabilities. This cache might retain previews of encrypted files, potentially allowing unauthorized individuals to access these images without needing to decrypt the actual files.
Why Clear the Quick Look Cache on macOS?
The Quick Look cache poses a risk because it can store unencrypted previews of sensitive files. If someone knows where to look, they could potentially view these thumbnails, which could compromise the confidentiality of your information. Therefore, regularly clearing this cache is recommended for users who prioritize security.
Quick Look is operated by the “com.apple.quicklook.ThumbnailsAgent” service, which scans your system to generate previews for various files. These thumbnails are kept in an SQLite database, accessible to any user on the system. The cache retains previews for all files, regardless of whether they’ve been opened with Quick Look.
To locate the cache, navigate to “/var/folders” on your Mac. Inside, you’ll need to explore a bit to find the folder named “com.apple.QuickLook.thumbnailcache.” Regular maintenance of this cache can help protect your sensitive data.
Is this a problem?
The leakage of encrypted data is a critical issue that should not be overlooked, especially regarding image files. Even small-sized previews can inadvertently expose sensitive information. For instance, images that haven’t been viewed with Quick Look generate thumbnails measuring 128 pixels on their longest side. However, if the images are accessed through Quick Look, the resulting thumbnails can grow to nearly three times that size, significantly increasing the risk of revealing confidential details.
Moreover, non-image files are not immune to this risk. When Quick Look creates previews for these types of files, it saves a thumbnail of their Finder icon. For example, text files such as TXT or RTF documents may produce a curled page icon in the cache. Although the actual content remains encrypted, these thumbnails can still indicate the file type and suggest the nature of the contents, potentially compromising privacy.
The combination of these factors makes it essential for users to regularly clear the Quick Look cache, particularly those handling sensitive information. This practice not only mitigates the risk of data leakage but also enhances overall system security, ensuring that private information remains protected from unintended exposure.
According to the security researcher who most recently wrote about this vulnerability, thumbnails persist even after the files are deleted. Furthermore, Quick Look previews are saved for USB drives after their removal. As such, plugging a USB drive into a Mac leaves behind detectable traces after the drive has been removed. So even if the parent file is not currently accessible by the system, the preview can reveal data about it.
Clearing the Quick Look Cache on macOS
1. Open Terminal from “/Applications/Utilities/Terminal.app” or by typing the name of the application in Spotlight.
2. Paste the following command below into Terminal, then press the “Enter” key to execute. This will immediately stop the Quick Look service and delete cached files.
qlmanage -r cache
Disabling the Quick Look Cache on macOS
The above command will empty the Quick Look cache. However, if left to function, the cache will immediately begin to accrue files again, regardless of their encryption status.
To fix this, you can permanently disable the cache. This may slow Quick Look down slightly, but it will work around the existing vulnerability. To disable the Quick Look cache permanently, execute the Terminal command below:
qlmanage -r disablecache
If you wish to turn the Quick Look cache back on, use the enablecache command in place of disablecache.
Conclusion
This vulnerability may be patched by Apple eventually. However, Apple has left it there for long enough that computer forensic specialists see it as a reliable method for exfiltrating images. For greater security, you might run this process regularly under a recurring script or manually after removing USB devices.