Over 3 Million iOS, macOS Apps Found at Risk Due to CocoaPods Security Breach: Report
Undiscovered vulnerabilities were found in CocoaPods which may have allowed threat actors to gain access to sensitive user data.
Advertisement
Highlights
- Critical security vulnerabilities were reported in CocoaPods platform
- Researchers say it put over 3 million iOS and macOS apps at risk
- The vulnerabilities were patched in October last year
The exploits are reported to have put millions of iOS and macOS apps at risk
Photo Credit: Unsplash/Sara Kurfeß
Apple users may have been left at risk for over a decade due to an undetected vulnerability recently fixed in CocoaPods – a dependency manager which hosts code libraries for Swift and Objective-C projects for developing apps for Apple. According to a report, security researchers discovered a critical issue which could have allowed threat actors to inject malicious code and gain access to sensitive user data, putting over 3 million iOS and macOS apps at risk.
Apple Apps at Risk
According to researchers at the cybersecurity firm EVA Information Security, three previously undiscovered vulnerabilities were found in CocoaPods, that could have allowed threat actors to claim ownership of orphaned packages, known as pods. It is said to have enabled them to inject code in applications for iOS and macOS platforms – operating systems used by Apple's iPhone and iPad devices, respectively.
This vulnerability is reported to have originated in 2014 in the “trunk” server of CocoaPods, following a migration process. As per the researchers, threat actors could have used an API and an email address – both available in CocoaPods' source code, to claim ownership of the pods, replacing their original source code with their malicious one.
Researchers claim another vulnerability would have enabled the use of the email verification process to run arbitrary code on the server, allowing the threat actor to manipulate and replace pods.
Advertisement
The exploits put millions of iOS and macOS apps, along with sensitive user data such as passwords, credit card details, medical records, and more, at risk.
“Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable - ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk”, the researchers said.
Advertisement
It is further claimed that the vulnerabilities were patched in October 2023. Researchers say they notified CocoaPods of them, following which all session keys were wiped out to ensure secure access to pods.
Previous Vulnerabilities
This is not the first time that CocoaPods has come under scrutiny due to security vulnerabilities. In 2021, it was discovered that a malicious package published on the dependency manager could allow threat actors to run arbitrary code on its servers due to a remote code execution (RCE) issue, potentially putting millions of apps at risk.
Advertisement
This vulnerability was found to exist since 2015 and was only patched in 2021.
Is the Samsung Galaxy Z Flip 5 the best foldable phone you can buy in India right now? We discuss the company's new clamshell-style foldable handset on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.
Advertisement