Hidden caches in macOS: where your private data gets stored

Some time ago, I proposed that macOS 10.14 should be named Gormenghast, to reflect its many concealed and neglected features. These can trip up its own security and the protection of privacy when an old system within macOS is quietly storing sensitive data in an unprotected location. A good example is the latest vulnerability in QuickLook (or Quick Look, as Apple uses both forms).

Here is a brief overview of some of the potentially sensitive information which macOS secretes away in unexpected places. If you’re concerned about protecting the security of your data, these should be places to watch; if you’re a forensic analyst, these are often rewarding places to look.

Extended attributes

These are metadata, which can include download URLs for files, traditional thumbnails of images, and other potentially sensitive content.

They are stored in the volume metadata, in both HFS+ and APFS, or in hidden files alongside the main data fork of the file in the case of FAT and related file systems. They thus enjoy the full protection of any encryption applied to that volume. They are stripped when copying files to some file systems, and iCloud only preserves certain types of extended attribute, removing others.

Extended attributes enjoy the full protection of permissions, and can be browsed and edited using xattred and other tools. Otherwise, they are largely inaccessible outside apps. I have a lot of material here about extended attributes.

Spotlight search metadata

These are extensive indexes of metadata used by Spotlight for search purposes. They are held in the hidden folder .Spotlight-V100 at the root level of each volume, containing only metadata for that volume, and locked away with system permissions. Their only access is through Spotlight and developer interfaces to its features.

Document versions

Previous versions of many documents are kept in the hidden folder .DocumentRevisions-V100, which is locked away with protective permissions at the root level of each volume. When a volume is encrypted, all retained versions of its documents will also be protected by that encryption. Although they can contain a great deal of very sensitive data, their only access is through the macOS versioning system, via the current version of that document.

Previous versions of a document are not normally copied or moved to other volumes, although Revisionist and DeepTools can preserve them. Versions are also lost when copying via iCloud. Revisionist (from Downloads above) provides a full range of tools for working with them, including the removal of old versions.

File system events

These are detailed records of changes made to files and folders, which are held in the hidden folder .fseventsd at the root level of each volume, with protective permissions. Although this contains information about which items and locations have changed, it doesn’t cache content, and is in any case protected within encrypted volumes.

Unified log

The unified log, introduced with macOS 10.12 Sierra, contains copious details written by the many sub-systems in macOS, and often by apps too. Entries are stored in /var/db/diagnostics on the boot volume, and are only encrypted when that volume is encrypted. However, raw data are kept in a compressed proprietary format (which is neither documented nor has been reversed), and their only access is through Console, the log command, and tools such as Consolation and Woodpile.

This log system is designed with privacy built in: by default, for instance, mutable strings passed in log messages are redacted with <private> in the log. However, it is possible to reconfigure the log to store unredacted entries. Access to the log is limited to admin users. I have considered its privacy aspects in more detail in this article.

UUIDs

Most events and much else in macOS are now labelled with a UUID. Many of these are indexed in folders stored in /var/db/uuidtext, but I am not aware of anyone who has been able to use this scheme to discover whether this can be abused to leak any sensitive data.

Hidden user temporary directories

Specific apps use a range of locations for storing potentially sensitive data, including ~/Library/Application Support, ~/ itself, and folders in and near what is referred to as $TMPDIR or NSTemporaryDirectory. The latter are folders in /var/folders/ with a short name such as t9/, followed by an obfuscated name like dsdtkd0161b3w6fcjhlyqvjm0000gn/. These have been found to pose several security and privacy problems, and are the concern of the rest of this article.

QuickLook thumbnails and previews

Normally, when QuickLook generates a thumbnail or preview, it is stored in its cache database kept in NSTemporaryDirectory in the path C/com.apple.QuickLook.thumbnailcache/. These can give very revealing insights into images and other documents which have been accessed recently.

This cache is completely unprotected, with permissions which allow access by regular users, and is always stored on that user’s boot volume. Only if the boot volume is encrypted is this database protected from prying eyes. Further details of its vulnerability are given in this article, and Aquiline Check provides control over QuickLook’s caching behaviour.

Notifications

Like QuickLook’s cache, that for Notifications is kept in NSTemporaryDirectory in the path 0/com.apple.notificationcenter/db2/, and is completely unprotected. Apps should remove notifications from this database automatically, but some don’t handle that properly. A recent case involving a bug in the secure messaging app Signal is detailed here.

App-specific caches

Most other apps keep caches, although these generally only contain Metal support data, rather than leaked sensitive information from documents. These are accessible through NSTemporaryDirectory. Caches are more likely to appear in the C folder there, while T contains various temporary data. Among those is com.apple.desktoppicture, which caches full-sized desktop images, for instance.

There are always other places, perhaps for another article.

Mojave and enhanced privacy

One of Apple’s announcements at WWDC 2018 for Mojave this autumn/fall is the provision of additional privacy protection for data including mail and address books. Apple demonstrated a front-end for this in a changed Security & Privacy pane, which enables the user to deny access by specific apps to classes of personal data. No mention was made of archaic caches like that of QuickLook, although it is unclear whether this may evolve during the beta-testing phase prior to the first release.

4Comments

Add yours

1

Michael Tsai - Blog - Quick Look Cache Reveals Sensitive Data From Encrypted Drives on June 26, 2018 at 3:03 pm

[…] Update (2018-06-26): Howard Oakley: […]

LikeLike
2

Howard Oakley: Hidden caches in macOS: where your private data gets stored | Firmware Security on June 26, 2018 at 8:23 pm

[…] Hidden caches in macOS: where your private data gets stored […]

LikeLike
3

Care2Secure on June 26, 2018 at 9:03 pm

If you missed it, iosecure has put together some invaluable info on “macOS security & privacy guide” on github

https://github.com/drduh/macOS-Security-and-Privacy-Guide/issues/250

take care

LikeLike
- 4
  
  hoakley on June 26, 2018 at 10:50 pm
  
  Thanks. I had seen it, and much of the ‘advice’ given is out of date (logs) or downright dangerous, such that it will break key services. If you really feel that you need to do such things, macOS is not the right operating system for you.
  Howard.
  
  LikeLike

Share this:

Like this:

Related