Why You Should Clear the Quick Look Cache on macOS
The Quick Look cache can end up storing previews of encrypted files in an unencrypted cache. As a result, a sufficiently informed snoop could view previews of your encrypted files without decrypting the files themselves. Frequently clearing the cache may be recommended to the security-concerned user.
Quick Look’s primary service is “com.apple.quicklook.ThumbnailsAgent.” This crawls the system and generates previews. These thumbnails are stored in an SQLite database that any user can access. This cache stores previews for all files, whether or not they have been viewed by Quick Look.
The cache can be found within “/var/folders.” From there you will need to dig around a little to locate the folder named “com.apple.QuickLook.thumbnailcache” as seen below.
Is this a problem?
Any leaking of encrypted data is undesirable. This issue is primarily a concern for images. They can reveal data even at reduced sizes. Images that have not been previewed with Quick Look will have 128 pixels on the longest side. Cached viewed images will be closer to triple that.
Non-image files will have a thumbnail of their Finder icon saved. This is something like the curled page with a preview for a TXT or RTF file. You can see an example of that type of cached preview below.
According to the security researcher who most recently wrote about this vulnerability, thumbnails persist even after the files are deleted. Furthermore, Quick Look previews are saved for USB drives after their removal. As such, plugging a USB drive into a Mac leaves behind detectable traces after the drive has been removed. So even if the parent file is not currently accessible by the system, the preview can reveal data about it.
Clearing the Quick Look Cache on macOS
1. Open Terminal from “/Applications/Utilities/Terminal.app” or by typing the name of the application in Spotlight.
2. Paste the following command below into Terminal, then press the “Enter” key to execute. This will immediately stop the Quick Look service and delete cached files.
Disabling the Quick Look Cache on macOS
The above command will empty the Quick Look cache. However, if left to function, the cache will immediately begin to accrue files again, regardless of their encryption status.
To fix this, you can permanently disable the cache. This may slow Quick Look down slightly, but it will work around the existing vulnerability. To disable the Quick Look cache permanently, execute the Terminal command below:
If you wish to turn the Quick Look cache back on, use the
enablecache command in place of
This vulnerability may be patched by Apple eventually. However, Apple has left it there for long enough that computer forensic specialists see it as a reliable method for exfiltrating images. For greater security, you might run this process regularly under a recurring script or manually after removing USB devices.