{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/thumbnail/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["macOS"],"_cs_severities":["medium"],"_cs_tags":["quicklook","cache","macos","thumbnail","privacy"],"_cs_type":"advisory","_cs_vendors":["Apple"],"content_html":"\u003cp\u003eThe macOS QuickLook feature, designed for quickly previewing file contents, caches thumbnails and file paths of files, including those stored within encrypted containers (e.g., VeraCrypt, macOS Encrypted HFS+/APFS drives) and removable USB devices. This cached information is stored in the clear within the user\u0026rsquo;s temporary directory ($TMPDIR/../C/com.apple.QuickLook.thumbnailcache/) and persists across reboots. This behavior, while known in forensics circles, is not widely understood by Mac users and can lead to unintended data leakage. The file paths, names, and thumbnail previews are accessible to any code running in the context of the user, even after the encrypted container is unmounted or the USB device is removed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser mounts an encrypted container (e.g., VeraCrypt, APFS) or inserts a USB drive into a macOS system.\u003c/li\u003e\n\u003cli\u003eUser views a directory containing files within the mounted container or USB drive using Finder, or previews a file using the space bar, triggering QuickLook.\u003c/li\u003e\n\u003cli\u003eQuickLook generates thumbnails and caches file paths and names in the \u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eindex.sqlite\u003c/code\u003e file stores the file paths and names, while \u003ccode\u003ethumbnails.data\u003c/code\u003e stores the thumbnail images.\u003c/li\u003e\n\u003cli\u003eUser unmounts the encrypted container or removes the USB drive.\u003c/li\u003e\n\u003cli\u003eThe cached thumbnails and file paths remain in the \u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eAn attacker gains access to the user\u0026rsquo;s macOS system.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the cached thumbnails and file paths from the QuickLook cache directory, potentially revealing sensitive information about the contents of the encrypted container or USB drive.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with access to a macOS system to recover thumbnails and file paths of files that were stored in encrypted containers or on removable USB devices. This can lead to the disclosure of sensitive information, even if the encrypted containers are unmounted or the USB drives are removed. The impact is significant for users who rely on encryption to protect sensitive data, as the QuickLook cache undermines the security provided by encrypted containers. The size of the thumbnails, even the smaller automatically generated ones, may be sufficient to discern the content of the files.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRegularly clear the QuickLook cache, particularly after unmounting encrypted containers. Since \u003ccode\u003eqlmanage -r\u003c/code\u003e doesn\u0026rsquo;t reliably clear the cache, consider deleting the entire \u003ccode\u003ecom.apple.QuickLook.thumbnailcache\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eImplement endpoint detection rules to detect unauthorized access or modification of the QuickLook cache directory (\u003ccode\u003e$TMPDIR/../C/com.apple.QuickLook.thumbnailcache/\u003c/code\u003e) using the \u0026ldquo;Detect Suspicious QuickLook Cache Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for attempts to access or manipulate the QuickLook cache files (\u003ccode\u003eindex.sqlite\u003c/code\u003e, \u003ccode\u003ethumbnails.data\u003c/code\u003e) using the \u0026ldquo;Detect QuickLook Cache File Access\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-quicklook-cache-leak/","summary":"macOS QuickLook caches thumbnails and file paths of files, even those stored within encrypted containers or on removable USB devices, potentially revealing sensitive data to attackers with access to the running system.","title":"macOS QuickLook Thumbnail Cache Leak","url":"https://feed.craftedsignal.io/briefs/2024-01-quicklook-cache-leak/"}],"language":"en","title":"CraftedSignal Threat Feed — Thumbnail","version":"https://jsonfeed.org/version/1.1"}