← Back to AI Insights
Gemini Executive Synthesis

Security vulnerability in the app uninstaller allowing arbitrary user data deletion via 'short-name bomb' and unchecked file operations.

Technical Positioning
Secure and safe application uninstallation; preventing malicious data deletion; robust input validation and file system interaction.
SaaS Insight & Market Implications
This report exposes a severe security vulnerability in PureMac's app uninstaller, enabling arbitrary user data deletion via a 'short-name bomb' attack. The core failures are threefold: inadequate length checks on normalized app names, unanchored substring matching in bundle ID comparisons, and direct, unchecked calls to `removeItem` without critical safety mechanisms like symlink guards or user confirmation. A malicious application can exploit these weaknesses to trick the uninstaller into proposing and executing the deletion of sensitive user directories. This represents a catastrophic security flaw, completely compromising data integrity and user trust. Such vulnerabilities are unacceptable for system utility software and indicate a profound lack of secure coding practices, posing an existential threat to the product's viability.
Proprietary Technical Taxonomy
malicious .app arbitrary user directories AppPathFinder.matchesApp normalizedBundleID normalizedAppName appNameLettersOnly String.contains() unanchored substring

Raw Developer Origin & Technical Request

Source Icon GitHub Issue Apr 16, 2026
Repo: momenbasel/PureMac
security: app-uninstaller short-name bomb + unchecked removeItem wipes user data

### Summary
A malicious `.app` dropped into `~/Applications` makes PureMac's uninstaller propose deletion of arbitrary user directories via three compounding issues:

1. `AppPathFinder.matchesApp` enforces `normalizedBundleID.count >= 5` but has NO length check on `normalizedAppName` / `appNameLettersOnly`; `normalizedForMatching()` strips space/dash/underscore/dot, so app name \"s-s-h\" becomes the 3-char token \"ssh\" that `String.contains()` then matches against home entries.
2. `matchesApp` and `applyConditions` use `normalizedBundleID.contains(condition.bundleID)` — unanchored substring. Attacker bundle ID `com.evil.jetbrainsapp` hijacks the `jetbrains` condition and force-includes real JetBrains/Arc/VSCode directories.
3. `AppState.removeSelectedFiles` and `OrphanListView` Remove Selected call raw `FileManager.default.removeItem(at:)` — no `isSafeToDelete`, no symlink guard, no confirmation dialog. The `CleaningEngine`'s allow-list does not apply here.

### Location
- `PureMac/Logic/Scanning/AppPathFinder.swift` 198-264, 324-341
- `PureMac/Logic/Scanning/StringNormalization.swift` 5-11
- `PureMac/ViewModels/AppState.swift` 116-131
- `PureMac/Views/Orphans/OrphanListView.swift` 63-67

### Evidence (runtime)
Attacker drops `~/Applications/s-s-h.app` (Info.plist with `CFBundleDisplayName=s-s-h`).
```
normalizedAppName = ssh
[scan] .ssh → normalized=ssh **MATCH**
[uninstaller] proposes: ~/.ssh (pre-selected)
[user clicks Uninstall]
[remove] ~/.ssh → OK ← id_rsa, k...

Developer Debate & Comments

No active discussions extracted for this entry yet.

Adjacent Repository Pain Points

Other highly discussed features and pain points extracted from momenbasel/PureMac.

Extracted Positioning
Feature request for bulk selection and deletion of orphaned files, and clarification on scan accuracy.
Efficient and user-friendly cleanup; accurate identification of deletable files; transparent operation.
Extracted Positioning
Ineffective or non-functional application uninstallation feature.
Comprehensive and reliable application uninstallation; clear user feedback on deletion status.
Extracted Positioning
Inconsistent version reporting between download source and application's 'About' information.
Clear and accurate product versioning; professional software presentation.
Extracted Positioning
Allow-list bypass vulnerability due to incorrect path prefix matching without trailing slash.
Secure file system operations; accurate allow-list validation; preventing unauthorized file deletion.
Extracted Positioning
Zero-click data loss vulnerability through environmental variable injection and insecure default scheduling.
Secure system interaction; preventing unauthorized data deletion; robust environment variable handling; secure default configurations.

Frequently Asked Questions

Market intelligence mapped to Security vulnerability in the app uninstaller allowing arbitrary user data deletion via 'short-name bomb' and unchecked file operations..

What problem does Security vulnerability in the app uninstaller allowing arbitrary user data deletion via 'short-name bomb' and unchecked file operations. solve?
Based on our AI analysis of the original developer request, its primary technical positioning is: Secure and safe application uninstallation; preventing malicious data deletion; robust input validation and file system interaction.
Which technical concepts are associated with Security vulnerability in the app uninstaller allowing arbitrary user data deletion via 'short-name bomb' and unchecked file operations.?
Our proprietary extraction maps Security vulnerability in the app uninstaller allowing arbitrary user data deletion via 'short-name bomb' and unchecked file operations. to adjacent architectural concepts including malicious .app, arbitrary user directories, AppPathFinder.matchesApp, normalizedBundleID.

Engagement Signals

0
Replies
open
Issue Status

Cross-Market Term Frequency

Quantifies the cross-market adoption of foundational terms like isSafeToDelete and malicious .app by tracking occurrence frequency across active SaaS architectures and enterprise developer debates.