Infosec Experts Say macOS Thumbnail Cache Could Leak Sensitive Data

Unix security experts have recently discovered that the creation of thumbnails for images and other file types could theoretically lead to a fairly serious vulnerability in computers running Apple’s macOS system software. If a directory stores images and other visual documents, then macOS will automatically create thumbnails for files in those directories. These thumbnails are then cached along with other file system data.

By giving users a chance to see what’s in a file, this feature can speed up workflows. There’s seldom a reason to load a heavier image editor into RAM when all you want to do is take a look at a single document’s contents. However, macOS continues to create these thumbnails on encrypted containers.

Volumes and partitions that are protected with a user generated password aren’t immune to thumbnail creation. Whenever a user navigates to a directory that contains these types of files, the system software springs into action without prompting a user. It doesn’t matter what type of underlying file system is in use.

Finder and QuickLook create these thumbnails, which means those using non-standard custom file browsers are somewhat immune. Dialog boxes that prompt users to open files from within applications, however, often make use of Macintosh Finder, which means even these users could theoretically experience issues.

Regular file icons are shown by the Finder’s screen for all types of documents until it’s capable of displaying a more sophisticated thumbnail that features a low resolution preview of an image. Since these thumbnails could display sensitive material and aren’t necessarily encrypted in the same way that the underlying file structure is, an attacker could exploit the vulnerability by peering through cached thumbnails.

Fortunately, users can simply disable all thumbnail previews in Finder. While infosec researchers were focused on macOS in their study, this same vulnerability may be comparable to functionality provided by the default file managers in many GNU/Linux implementations as well as File Explorer from Microsoft Windows.

Users may wish to disable thumbnail creation on these platforms as well in order to reduce the risk of an information leak. Securely overwriting cached data may also help to preserve the safety of these documents regardless of what platform users access files from.

Classic implementations of OS X as well as macOS Sierra and higher have always permitted users to disable this functionality and therefore maintain some extra degree of security.

John Rendace
John is a GNU/Linux expert with a hobbyist's background in C/C++, Web development, storage and file system technologies. In his free time, he maintains custom and vintage PC hardware. He's been compiling his own software from source since the DOS days and still prefers using the command line all these years later.