An APFS Filesystem flaw could lead macOS losing data under certain conditions

The Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.

A few days ago a ‘text bomb‘ bug was reported for Apple iOS and macOS apps, the issue can crash any Apple iPhone, iPad Or Mac.

Now the Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.

The bug ties the way the operating system handles APFS sparse disk images formatted in Apple filesystem format APFS.

An Apple Disk Image is a disk image commonly used by the macOS operating system is “mounted” as a volume within the Finder. It contains the entire contents and structure of a disk volume, such as USB, CD, DVD, hard disk drive, or network share.

Disk images are commonly used by several Mac apps, for example for backup applications or disk cloning.

The expert discovered that APFS sparse disk images don’t properly manage the volume of the “free disk space” from the sparse disk image, the OS doesn’t correctly report “free disk space” respect the real “free disk space” value.

“Earlier this week I noticed that an APFS-formatted sparsebundle disk image volume showed ample free space, despite that the underlying disk was completely full. Curious, I copied a video file to the disk image volume to see what would happen. The whole file copied without error! I opened the file, verified that the video played back start to finish, checksummed the file – as far as I could tell, the file was intact and whole on the disk image.” wrote Mike Bombich. “When I unmounted and remounted the disk image, however, the video was corrupted. If you’ve ever lost data, you know the kick-in-the-gut feeling that would have ensued. Thankfully, I was just running some tests and the file that disappeared was just test data. Taking a closer look, I discovered two bugs in macOS’s “diskimages-helper” service that lead to this result.”

Bombich explained that data are written into the void because the OS doesn’t warn users that there is no enough space on the underlying hard drive to contain his data.

As described by the expert, the misleading data are still accessible for a short period after the write operation, unfortunately after the next system reboot exceeding files become corrupted and inaccessible.

Bombich is the author of the Mac backup software Carbon Copy Cloner, according to statistics from his software no many users are affected. The expert says that only 7% of all Carbon Copy Cloner users store backups as sparse disk image files and that only 12% of these 7% use APFS-formatted disk images.

The Carbon Copy Cloner software will not support AFPS-formatted sparse disk images until Apple addresses the vulnerability reported by Bombich.

Below a video PoC of the flaw.

“Until Apple resolves this disk images bug, we strongly recommend that people avoid using APFS-formatted sparse disk images for any purpose with any application.” concluded the expert.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – APFS, Data Leak)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.