Over 3 Million iOS, macOS Apps Found at Risk Due to CocoaPods Security Breach: Report

Undiscovered vulnerabilities were found in CocoaPods which may have allowed threat actors to gain access to sensitive user data.

Written by Shaurya Tomer, Edited by Manas Mitul | Updated: 3 July 2024 14:01 IST

Over 3 Million iOS, macOS Apps Found at Risk Due to CocoaPods Security Breach: Report

Photo Credit: Unsplash/Sara Kurfeß

The exploits are reported to have put millions of iOS and macOS apps at risk

Highlights

Critical security vulnerabilities were reported in CocoaPods platform
Researchers say it put over 3 million iOS and macOS apps at risk
The vulnerabilities were patched in October last year

Apple users may have been left at risk for over a decade due to an undetected vulnerability recently fixed in CocoaPods – a dependency manager which hosts code libraries for Swift and Objective-C projects for developing apps for Apple. According to a report, security researchers discovered a critical issue which could have allowed threat actors to inject malicious code and gain access to sensitive user data, putting over 3 million iOS and macOS apps at risk.

Apple Apps at Risk

According to researchers at the cybersecurity firm EVA Information Security, three previously undiscovered vulnerabilities were found in CocoaPods, that could have allowed threat actors to claim ownership of orphaned packages, known as pods. It is said to have enabled them to inject code in applications for iOS and macOS platforms – operating systems used by Apple's iPhone and iPad devices, respectively.

This vulnerability is reported to have originated in 2014 in the “trunk” server of CocoaPods, following a migration process. As per the researchers, threat actors could have used an API and an email address – both available in CocoaPods' source code, to claim ownership of the pods, replacing their original source code with their malicious one.

iOS 18 Will Introduce These India-Focused Features Later This Year

Researchers claim another vulnerability would have enabled the use of the email verification process to run arbitrary code on the server, allowing the threat actor to manipulate and replace pods.

The exploits put millions of iOS and macOS apps, along with sensitive user data such as passwords, credit card details, medical records, and more, at risk.

“Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable - ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk”, the researchers said.

Apple Intelligence’s Premium Features Could be Behind a Paid Tier: Report

It is further claimed that the vulnerabilities were patched in October 2023. Researchers say they notified CocoaPods of them, following which all session keys were wiped out to ensure secure access to pods.

Previous Vulnerabilities

This is not the first time that CocoaPods has come under scrutiny due to security vulnerabilities. In 2021, it was discovered that a malicious package published on the dependency manager could allow threat actors to run arbitrary code on its servers due to a remote code execution (RCE) issue, potentially putting millions of apps at risk.

OpenSSH Vulnerability Reportedly Puts Over 14 Million Servers at Risk

This vulnerability was found to exist since 2015 and was only patched in 2021.

Is the Samsung Galaxy Z Flip 5 the best foldable phone you can buy in India right now? We discuss the company's new clamshell-style foldable handset on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: iOS Apps, iOS Security, Apple

Shaurya Tomer

Email Shaurya Tomer

Shaurya Tomer is a Sub Editor at Gadgets 360 with 2 years of experience across a diverse spectrum of topics. With a particular focus on smartphones, gadgets and the ever-evolving landscape of artificial intelligence (AI), he often likes to explore the industry's intricacies and innovations – whether dissecting the latest smartphone release or exploring the ethical implications of AI advancements. In his free time, he often embarks on impromptu road trips to unwind, recharge, and ...More