hoakley October 23, 2018 Macs, Technology

Mojave fixes QuickLook cache vulnerability

Back in June, security experts Wojciech Regula and Patrick Wardle discovered that, in High Sierra and earlier, it was easy for a malicious user or malware to examine the contents of the macOS QuickLook cache. This could be used to study recently-previewed images and other documents in worrying detail.

As a result of this, I wrote a couple of tools, Aquiline and Aquiliner, which enabled users to empty their QuickLook caches to protect their privacy, and to turn off caching altogether should they wish.

I’m delighted to report that Apple has responded to this issue in macOS 10.14 Mojave, and made the QuickLook cache altogether inaccessible, although I wait for news from Wojciech and/or Patrick that they’ve managed to wheedle their way around the new defences! So you can now trash those two apps, which have also been deprived of any access to the QuickLook cache.

What has Apple done? It has locked the QuickLook cache folder away from apps using sandboxing.

The QuickLook cache is to be found in a path like
/var/folders/t9/[long ID]/C/com.apple.QuickLook.thumbnailcache
Look at that in the Finder, and it looks like a file, not a folder, although there is some confusion, as the Finder also shows a disclose triangle, as if really is a folder after all.

qlcache01

qlcache02

In Finder’s Get Info dialog, the size of the folder is shown, but the permissions are given as having “unknown access”, in that the Finder is denied knowledge of that folder’s attributes.

Turn to Terminal, and that folder doesn’t appear in any ls listing of its parent folder, and trying to list it directly returns
Operation not permitted
even if you have sudoed.

You can try giving Terminal or another app (such as my Precize) Full Disk Access in Privacy, but it makes no difference at all: you can’t see what’s inside the cache any more.

qlcache03

When Aquiline or Aquiliner try to access the cache, they ‘see’ a folder which is completely empty, with a size of 0 bytes, even when the Finder admits that there are many megabytes within.

When an app like Precize or xattred tries to get information about the cache folder and its contents, they hit a System Policy to deny(1) as a violation from sandboxd.

The qlmanage command does appear to work as previously, but there now seems little point in trying to flush the QuickLook cache.

Unless and until someone smart finds a way around this System Policy, it looks like your QuickLook cache is safe from all prying eyes, no matter what tricks you care to pull.

Thank you, Apple, although I can’t see any reference to this being fixed in the security notes for macOS 10.14.

5Comments

Add yours

1

Anonymous on October 23, 2018 at 5:49 pm

“/var/folders/t9/[long ID]/C/com.apple.QuickLook.thumbnailcache” is a DataVault, which is a new type of privacy container that Apple introduced sometime around 10.13.4. These files/folders are identified by the “UF_DATAVAULT” file flag. These are implemented via SIP (not technically sandboxing, but the same gist). Applications need an entitlement to make or access specific data vaults, or even to stat() a DataVault folder.

These devices are worth some deeper investigation. Apple doesn’t (and apparently has no plans to) issue these entitlements to third-parties. Consider the implications of that – Apple is creating a platform where only data created in Apple applications gets the highest level of security.

Also consider that you (the user) can’t see what’s in these DataVaults without turning off SIP. It’s hard to tell what Apple is keeping in these, but some of them are a bit alarming. Here are just a few known data vaults:

~/Library/VoiceTrigger/SAT
~/Library/Containers/com.apple.mail/Data/DataVaults
/private/var/folders/0z/fs4vdwmx6g31n69qt5v5ff580000gn/0/com.apple.nsurlsessiond

That first one apparently has “Siri Audio Transcripts” – everything you’ve ever uttered to Siri on your Mac.

LikeLiked by 1 person
- 2
  
  hoakley on October 23, 2018 at 6:01 pm
  
  Thank you for that valuable information.
  The problem with providing user access is of course that the moment that is available, the vulnerability returns. There’s no way to let the user in, but keep out malware and – more importantly – spyware and other apps which go beyond where they should.
  On the other hand, if QuickLook is to use a cache, it has to be able to access it.
  So although the situation might appear alarming, what alternative is there? By using macOS, you are already trusting Apple with all your personal data, and if you don’t like it, you have to use an alternative platform.
  Howard.
  
  LikeLike
3

Anonymous on October 23, 2018 at 6:33 pm

> The problem with providing user access is of course that the moment that is available, the vulnerability returns.

No, that’s not the case at all. You could grant the Finder application (and perhaps QuickLook) access to those files. Just because Finder has access to a file, doesn’t mean that some other random application would have access to it. Consider ~/Library/Calendars, for example – you can navigate to that in the Finder, but other applications need Full Disk Access to see that content (on Mojave). Alternatively, the specific applications that created the vaults could be more transparent about what they’re storing. At this point, I would even settle for an Apple Kbase article that acknowledges the use of these DataVaults and briefly explains where they’re kept, why they’re used, what kind of data is stored inside of them, and whether it’s safe to delete them. Basic transparency stuff. I appreciate your blog article here because it sheds some light on this new security device. This is a good start.

But, there’s another angle to this that I think you’re still missing. If Apple creates a Mail application that has special privileges within the OS, and can therefore offer some sort of additional privacy or security for your data, would an end user ever choose a non-Apple email application? This is pushing users towards Apple’s applications and services, and making it yet more difficult for third-parties to develop applications that users would want to choose over the Apple applications. Brilliant strategy on Apple’s part, but is it fair to push users towards their own services by making privacy solutions inaccessible to third parties?

> So although the situation might appear alarming, what alternative is there?

Thinking specifically of the Siri transcriptions, I think a great alternative would be to tell people that you’re collecting that information and give them options to a) see what that data is and b) decide whether they want to retain that information indefinitely. Protecting the data is great, but we deserve the opportunity to object to the collection and storage of the information in the first place.

LikeLiked by 1 person
- 4
  
  hoakley on October 23, 2018 at 7:00 pm
  
  If the Finder has access to those files, then copying them from there would need to be blocked both in the Finder and by script. QuickLook already has access to the cache, of course, presumably through its special entitlement. And these are certainly not files which should be accessible to any app with Full Disk Access – as you commonly have to grant to Terminal, for example. That starts getting more complex, and has the potential for other vulnerabilities. In the case of the QuickLook cache, I think a DataVault is a good solution.
  I wasn’t missing the point over Apple’s privileged position with respect to access to DataVaults. Apple already does this with its Private Frameworks, and it’s always a concern. TCC’s privacy protection doesn’t cover the private data of any third-party app as far as I know. On the other hand, Apple makes a lot of very easy money from selling third-party apps in the App Store: if it were to kill off all competition with its free bundled apps, then it would be the loser. There’s always that fine balance.
  I don’t have any problems with what you propose for Siri transcriptions, except that Apple already does this for data which it retains. Those data which are only retained on your Mac don’t actually leave the storage which is under your control, and aren’t subject to any legal controls, nor should they be, surely.
  Howard.
  
  LikeLike
5

Michael Tsai - Blog - Mojave Fixes QuickLook Cache Vulnerability With a DataVault on October 25, 2018 at 8:34 pm

[…] Howard Oakley: […]

LikeLike

·Comments are closed.

Share this:

Related