Mojave fixes QuickLook cache vulnerability

Back in June, security experts Wojciech Regula and Patrick Wardle discovered that, in High Sierra and earlier, it was easy for a malicious user or malware to examine the contents of the macOS QuickLook cache. This could be used to study recently-previewed images and other documents in worrying detail.

As a result of this, I wrote a couple of tools, Aquiline and Aquiliner, which enabled users to empty their QuickLook caches to protect their privacy, and to turn off caching altogether should they wish.

I’m delighted to report that Apple has responded to this issue in macOS 10.14 Mojave, and made the QuickLook cache altogether inaccessible, although I wait for news from Wojciech and/or Patrick that they’ve managed to wheedle their way around the new defences! So you can now trash those two apps, which have also been deprived of any access to the QuickLook cache.

What has Apple done? It has locked the QuickLook cache folder away from apps using sandboxing.

The QuickLook cache is to be found in a path like
/var/folders/t9/[long ID]/C/
Look at that in the Finder, and it looks like a file, not a folder, although there is some confusion, as the Finder also shows a disclose triangle, as if really is a folder after all.



In Finder’s Get Info dialog, the size of the folder is shown, but the permissions are given as having “unknown access”, in that the Finder is denied knowledge of that folder’s attributes.

Turn to Terminal, and that folder doesn’t appear in any ls listing of its parent folder, and trying to list it directly returns
Operation not permitted
even if you have sudoed.

You can try giving Terminal or another app (such as my Precize) Full Disk Access in Privacy, but it makes no difference at all: you can’t see what’s inside the cache any more.


When Aquiline or Aquiliner try to access the cache, they ‘see’ a folder which is completely empty, with a size of 0 bytes, even when the Finder admits that there are many megabytes within.

When an app like Precize or xattred tries to get information about the cache folder and its contents, they hit a System Policy to deny(1) as a violation from sandboxd.

The qlmanage command does appear to work as previously, but there now seems little point in trying to flush the QuickLook cache.

Unless and until someone smart finds a way around this System Policy, it looks like your QuickLook cache is safe from all prying eyes, no matter what tricks you care to pull.

Thank you, Apple, although I can’t see any reference to this being fixed in the security notes for macOS 10.14.