Apple users may have been left at risk for over a decade due to an undetected vulnerability recently fixed in CocoaPods – a dependency manager which hosts code libraries for Swift and Objective-C projects for developing apps for Apple. According to a report, security researchers discovered a critical issue which could have allowed threat actors to inject malicious code and gain access to sensitive user data, putting over 3 million iOS and macOS apps at risk.
Apple Apps at Risk
According to researchers at the cybersecurity firm EVA Information Security, three previously undiscovered vulnerabilities were found in CocoaPods, that could have allowed threat actors to claim ownership of orphaned packages, known as pods. It is said to have enabled them to inject code in applications for iOS and macOS platforms – operating systems used by Apple’s iPhone and iPad devices, respectively.
This vulnerability is reported to have originated in 2014 in the “trunk” server of CocoaPods, following a migration process. As per the researchers, threat actors could have used an API and an email address – both available in CocoaPods’ source code, to claim ownership of the pods, replacing their original source code with their malicious one.
Researchers claim another vulnerability would have enabled the use of the email verification process to run arbitrary code on the server, allowing the threat actor to manipulate and replace pods.
The exploits put millions of iOS and macOS apps, along with sensitive user data such as passwords, credit card details, medical records, and more, at risk.
“Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable – ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk”, the researchers said.
It is further claimed that the vulnerabilities were patched in October 2023. Researchers say they notified CocoaPods of them, following which all session keys were wiped out to ensure secure access to pods.
Previous Vulnerabilities
This is not the first time that CocoaPods has come under scrutiny due to security vulnerabilities. In 2021, it was discovered that a malicious package published on the dependency manager could allow threat actors to run arbitrary code on its servers due to a remote code execution (RCE) issue, potentially putting millions of apps at risk.
This vulnerability was found to exist since 2015 and was only patched in 2021.
