Over 3 Million iOS, macOS Apps Found at Risk Due to CocoaPods Security Breach: Report​

  • Tech
  • July 3, 2024
  • 0 Comments

Apple users may have been left at risk for over a decade due to an undetected vulnerability recently fixed in CocoaPods – a dependency manager which hosts code libraries for Swift and Objective-C projects for developing apps for Apple. According to a report, security researchers discovered a critical issue which could have allowed threat actors to inject malicious code and gain access to sensitive user data, putting over 3 million iOS and macOS apps at risk.

Apple Apps at Risk

According to researchers at the cybersecurity firm EVA Information Security, three previously undiscovered vulnerabilities were found in CocoaPods, that could have allowed threat actors to claim ownership of orphaned packages, known as pods. It is said to have enabled them to inject code in applications for iOS and macOS platforms – operating systems used by Apple’s iPhone and iPad devices, respectively.

This vulnerability is reported to have originated in 2014 in the “trunk” server of CocoaPods, following a migration process. As per the researchers, threat actors could have used an API and an email address – both available in CocoaPods’ source code, to claim ownership of the pods, replacing their original source code with their malicious one.

Researchers claim another vulnerability would have enabled the use of the email verification process to run arbitrary code on the server, allowing the threat actor to manipulate and replace pods.

The exploits put millions of iOS and macOS apps, along with sensitive user data such as passwords, credit card details, medical records, and more, at risk.

“Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable – ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk”, the researchers said.

It is further claimed that the vulnerabilities were patched in October 2023. Researchers say they notified CocoaPods of them, following which all session keys were wiped out to ensure secure access to pods.

Previous Vulnerabilities

This is not the first time that CocoaPods has come under scrutiny due to security vulnerabilities. In 2021, it was discovered that a malicious package published on the dependency manager could allow threat actors to run arbitrary code on its servers due to a remote code execution (RCE) issue, potentially putting millions of apps at risk.

This vulnerability was found to exist since 2015 and was only patched in 2021.

Is the Samsung Galaxy Z Flip 5 the best foldable phone you can buy in India right now? We discuss the company’s new clamshell-style foldable handset on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
  • Related Posts

    CMF Phone 1 Design, Colourways Revealed Ahead of July 8 Launch; Seen With Customisable Back Panel​
    • July 3, 2024

    CMF Phone 1 will be unveiled in India alongside the CMF Buds Pro 2 and CMF Watch Pro 2 on July 8. The company had previously teased some key features of…

    Continue reading
    [Exclusive] Snapdragon Chipsets Ready to Offer Apple-Like ChatGPT Integration, Says Qualcomm CMO Don McGuire​
    • July 3, 2024

    Snapdragon chipsets are among the first to offer generative artificial intelligence (AI) capabilities to Android smartphones (second only to Google’s Tensor SoC). The Samsung Galaxy S24 series became the first non-Pixel…

    Continue reading

    You Missed

    CMF Phone 1 Design, Colourways Revealed Ahead of July 8 Launch; Seen With Customisable Back Panel​

    • By
    • July 3, 2024
    • 13 views
    CMF Phone 1 Design, Colourways Revealed Ahead of July 8 Launch; Seen With Customisable Back Panel​

    [Exclusive] Snapdragon Chipsets Ready to Offer Apple-Like ChatGPT Integration, Says Qualcomm CMO Don McGuire​

    • By
    • July 3, 2024
    • 15 views
    [Exclusive] Snapdragon Chipsets Ready to Offer Apple-Like ChatGPT Integration, Says Qualcomm CMO Don McGuire​

    iQoo Neo 9s Pro+ Launch Date Revealed; Confirmed to Ship With Snapdragon 8 Gen 3 SoC, 5,500mAh Battery​

    • By
    • July 3, 2024
    • 13 views
    iQoo Neo 9s Pro+ Launch Date Revealed; Confirmed to Ship With Snapdragon 8 Gen 3 SoC, 5,500mAh Battery​

    Honor Magic V3 Design Revealed Ahead of July 12 Launch; Seen With a Periscope Telephoto Camera​

    • By
    • July 3, 2024
    • 12 views
    Honor Magic V3 Design Revealed Ahead of July 12 Launch; Seen With a Periscope Telephoto Camera​

    iQoo Z9 Lite Key Specifications Confirmed Ahead of July 15 India Launch Date​

    • By
    • July 3, 2024
    • 18 views
    iQoo Z9 Lite Key Specifications Confirmed Ahead of July 15 India Launch Date​

    Meta Looking to Hire Generative AI-Focused Workers on Metaverse Team After Layoffs​

    • By
    • July 3, 2024
    • 16 views
    Meta Looking to Hire Generative AI-Focused Workers on Metaverse Team After Layoffs​