Tech & Gadgets

Undiscovered vulnerabilities put millions of iOS and macOS apps at risk

July 3, 2024
0 168 2 minutes read
Undiscovered vulnerabilities put millions of iOS and macOS apps at risk

Apple users may have been at risk for over a decade due to an unseen vulnerability that was recently fixed in CocoaPods, a dependency manager that hosts code libraries for Swift and Objective-C projects used to develop apps for Apple. According to a report, security researchers discovered a critical issue that could allow attackers to inject malicious code and gain access to sensitive user data, compromising more than 3 million iOS and macOS apps.

Apple apps at risk

According to researchers Cybersecurity firm EVA Information Security found three previously undiscovered vulnerabilities in CocoaPods that could have allowed threat actors to claim ownership of orphaned packages, known as pods. It would have allowed them to inject code into applications for iOS and macOS platforms — operating systems used by Apple’s iPhone and iPad devices, respectively.

This vulnerability is believed to have been introduced in 2014 in the CocoaPods “trunk” server, following a migration process. According to the researchers, threat actors could have used an API and an email address – both available in the CocoaPods source code – to claim ownership of the pods and replace their original source code with their malicious one.

Researchers say there is another vulnerability that could allow the email verification process to be used to execute arbitrary code on the server, allowing the attacker to manipulate and replace pods.

The exploits compromise millions of iOS and macOS apps, as well as sensitive user data such as passwords, credit card information, medical records, and more.

“By injecting code into these applications, attackers can gain access to this information for almost any conceivable malicious purpose – ransomware, fraud, blackmail, corporate espionage… In the process, it can expose companies to significant legal liabilities and reputational risk,” the researchers said.

It is further claimed that the vulnerabilities were patched in October 2023. Researchers say they notified CocoaPods of this, after which all session keys were wiped to ensure secure access to pods.

Previous vulnerabilities

This isn’t the first time CocoaPods has come under fire for security vulnerabilities. In 2021, it was discovers that a malicious package published to the dependency manager could allow malicious actors to execute arbitrary code on the servers due to a remote code execution (RCE) issue, potentially compromising millions of apps.

This vulnerability has existed since 2015 and was only patched in 2021.

Affiliate links may be automatically generated. See our ethics statement for more information.
July 3, 2024
0 168 2 minutes read

Related Articles

Developers can now ground their Gemini output with Google Search

Developers can now ground their Gemini output with Google Search

12 mins ago
New study reveals weaker Atlantic current could mitigate Arctic warming

New study reveals weaker Atlantic current could mitigate Arctic warming

43 mins ago
GoPro Max 2 hit by further delays – 2025 is the earliest we’ll see the 360-degree action camera

GoPro Max 2 hit by further delays – 2025 is the earliest we’ll see the 360-degree action camera

1 hour ago
Apple could release iOS 18.2 update for iPhone sooner than expected

Apple could release iOS 18.2 update for iPhone sooner than expected

1 hour ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
situs toto toto 4d rupiahtoto toto slot
situs slot