Over 3 Million iOS, macOS Apps Found at Risk Due to CocoaPods Security Breach: Report
Undiscovered vulnerabilities were found in CocoaPods which may have allowed threat actors to gain access to sensitive user data.
Photo Credit: Unsplash/Sara Kurfeß
The exploits are reported to have put millions of iOS and macOS apps at risk
Highlights
- Critical security vulnerabilities were reported in CocoaPods platform
- Researchers say it put over 3 million iOS and macOS apps at risk
- The vulnerabilities were patched in October last year
Apple users may have been left at risk for over a decade due to an undetected vulnerability recently fixed in CocoaPods – a dependency manager which hosts code libraries for Swift and Objective-C projects for developing apps for Apple. According to a report, security researchers discovered a critical issue which could have allowed threat actors to inject malicious code and gain access to sensitive user data, putting over 3 million iOS and macOS apps at risk.
Apple Apps at Risk
According to researchers at the cybersecurity firm EVA Information Security, three previously undiscovered vulnerabilities were found in CocoaPods, that could have allowed threat actors to claim ownership of orphaned packages, known as pods. It is said to have enabled them to inject code in applications for iOS and macOS platforms – operating systems used by Apple’s iPhone and iPad devices, respectively.
This vulnerability is reported to have originated in 2014 in the “trunk” server of CocoaPods, following a migration process. As per the researchers, threat actors could have used an API and an email address – both available in CocoaPods' source code, to claim ownership of the pods, replacing their original source code with their malicious one.
- iOS 18 Will Introduce These India-Focused Features Later This Year
Researchers claim another vulnerability would have enabled the use of the email verification process to run arbitrary code on the server, allowing the threat actor to manipulate and replace pods.
The exploits put millions of iOS and macOS apps, along with sensitive user data such as passwords, credit card details, medical records, and more, at risk.
“Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable – ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk”, the researchers said.
- Apple Intelligence’s Premium Features Could be Behind a Paid Tier: Report
It is further claimed that the vulnerabilities were patched in October 2023. Researchers say they notified CocoaPods of them, following which all session keys were wiped out to ensure secure access to pods.
Previous Vulnerabilities
This is not the first time that CocoaPods has come under scrutiny due to security vulnerabilities. In 2021, it was discovered that a malicious package published on the dependency manager could allow threat actors to run arbitrary code on its servers due to a remote code execution (RCE) issue, potentially putting millions of apps at risk.
- OpenSSH Vulnerability Reportedly Puts Over 14 Million Servers at Risk
This vulnerability was found to exist since 2015 and was only patched in 2021.
Is the Samsung Galaxy Z Flip 5 the best foldable phone you can buy in India right now? We discuss the company's new clamshell-style foldable handset on the latest episode of Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated – see our ethics statement for details.