Preview is one of the most useful tools of the Mac. Just pressing the spacebar on a file allows us to see its expanded content without having to open it. This tool is present in macOS for many years, but also a small bug that allows you to reveal information even when it is encrypted.
This new bug was discovered earlier this month by security expert Wojciech Regula and it has been Patrick Wardle who has given more details about it recently. In general, Preview stores data files even if they have been encrypted or deleted from the computer . Why? By the program’s cache.
For Preview to generate (literally) previews, what it does is index all the content that enters the computer and is available in the Finder. Therefore, if you insert an external storage unit as a USB stick , it will scan it and store in its cache a preview of the items that are in the external unit. The security hole? This cache is maintained despite ejecting the storage unit or deleting the files, even when the files are encrypted.
The security hole is not new , it is more than eight years old and it is not the first time it comes to light . Although its consequences do not seem so serious, for an external agent it is quite valuable information. For example, you can have a complete history of all the files and routes that have passed through the Mac in recent times. It also allows to extract relevant information from those files, since there is a preview and stored metadata.
How to prevent Preview from storing this data
The data stored in the Preview cache works in a similar way to the data that is stored in any cache: they are temporary. This means that manually deleting the cache, restarting the computer or encrypting the storage disk will no longer be available. To clean the cache manually use the following command in Terminal: $ rm -rf $ TMPDIR /../ C / com.apple.QuickLook.thumbnailcache Then apply a reboot : $ sudo reboot .
However, my recommendation is always to have the storage disk of the Mac encrypted , this can be done from System Preferences> Security and Privacy> FireVault. Of course, keep in mind that as you lose the master password, you will lose everything inside the Mac.
More information | Patrick Wardle