Some time ago, I proposed that macOS 10.14 should be named Gormenghast, to reflect its many concealed and neglected features. These can trip up its own security and the protection of privacy when an old system within macOS is quietly storing sensitive data in an unprotected location. A good example is the latest vulnerability in QuickLook (or Quick Look, as Apple uses both forms).
Here is a brief overview of some of the potentially sensitive information which macOS secretes away in unexpected places. If you’re concerned about protecting the security of your data, these should be places to watch; if you’re a forensic analyst, these are often rewarding places to look.
These are metadata, which can include download URLs for files, traditional thumbnails of images, and other potentially sensitive content.
They are stored in the volume metadata, in both HFS+ and APFS, or in hidden files alongside the main data fork of the file in the case of FAT and related file systems. They thus enjoy the full protection of any encryption applied to that volume. They are stripped when copying files to some file systems, and iCloud only preserves certain types of extended attribute, removing others.
Extended attributes enjoy the full protection of permissions, and can be browsed and edited using xattred and other tools. Otherwise, they are largely inaccessible outside apps. I have a lot of material here about extended attributes.
Spotlight search metadata
These are extensive indexes of metadata used by Spotlight for search purposes. They are held in the hidden folder
.Spotlight-V100 at the root level of each volume, containing only metadata for that volume, and locked away with system permissions. Their only access is through Spotlight and developer interfaces to its features.
Previous versions of many documents are kept in the hidden folder
.DocumentRevisions-V100, which is locked away with protective permissions at the root level of each volume. When a volume is encrypted, all retained versions of its documents will also be protected by that encryption. Although they can contain a great deal of very sensitive data, their only access is through the macOS versioning system, via the current version of that document.
Previous versions of a document are not normally copied or moved to other volumes, although Revisionist and DeepTools can preserve them. Versions are also lost when copying via iCloud. Revisionist (from Downloads above) provides a full range of tools for working with them, including the removal of old versions.
File system events
These are detailed records of changes made to files and folders, which are held in the hidden folder
.fseventsd at the root level of each volume, with protective permissions. Although this contains information about which items and locations have changed, it doesn’t cache content, and is in any case protected within encrypted volumes.
The unified log, introduced with macOS 10.12 Sierra, contains copious details written by the many sub-systems in macOS, and often by apps too. Entries are stored in
/var/db/diagnostics on the boot volume, and are only encrypted when that volume is encrypted. However, raw data are kept in a compressed proprietary format (which is neither documented nor has been reversed), and their only access is through Console, the
log command, and tools such as Consolation and Woodpile.
This log system is designed with privacy built in: by default, for instance, mutable strings passed in log messages are redacted with
<private> in the log. However, it is possible to reconfigure the log to store unredacted entries. Access to the log is limited to admin users. I have considered its privacy aspects in more detail in this article.
Most events and much else in macOS are now labelled with a UUID. Many of these are indexed in folders stored in
/var/db/uuidtext, but I am not aware of anyone who has been able to use this scheme to discover whether this can be abused to leak any sensitive data.
Hidden user temporary directories
Specific apps use a range of locations for storing potentially sensitive data, including
~/ itself, and folders in and near what is referred to as
NSTemporaryDirectory. The latter are folders in
/var/folders/ with a short name such as
t9/, followed by an obfuscated name like
dsdtkd0161b3w6fcjhlyqvjm0000gn/. These have been found to pose several security and privacy problems, and are the concern of the rest of this article.
QuickLook thumbnails and previews
Normally, when QuickLook generates a thumbnail or preview, it is stored in its cache database kept in NSTemporaryDirectory in the path
C/com.apple.QuickLook.thumbnailcache/. These can give very revealing insights into images and other documents which have been accessed recently.
This cache is completely unprotected, with permissions which allow access by regular users, and is always stored on that user’s boot volume. Only if the boot volume is encrypted is this database protected from prying eyes. Further details of its vulnerability are given in this article, and Aquiline Check provides control over QuickLook’s caching behaviour.
Like QuickLook’s cache, that for Notifications is kept in
NSTemporaryDirectory in the path
0/com.apple.notificationcenter/db2/, and is completely unprotected. Apps should remove notifications from this database automatically, but some don’t handle that properly. A recent case involving a bug in the secure messaging app Signal is detailed here.
Most other apps keep caches, although these generally only contain Metal support data, rather than leaked sensitive information from documents. These are accessible through
NSTemporaryDirectory. Caches are more likely to appear in the C folder there, while T contains various temporary data. Among those is
com.apple.desktoppicture, which caches full-sized desktop images, for instance.
There are always other places, perhaps for another article.
Mojave and enhanced privacy
One of Apple’s announcements at WWDC 2018 for Mojave this autumn/fall is the provision of additional privacy protection for data including mail and address books. Apple demonstrated a front-end for this in a changed Security & Privacy pane, which enables the user to deny access by specific apps to classes of personal data. No mention was made of archaic caches like that of QuickLook, although it is unclear whether this may evolve during the beta-testing phase prior to the first release.