Apple users may have been at risk for more than a decade due to an undisclosed vulnerability recently patched in CocoaPods – the dependency manager that hosts code libraries for Swift and Objective-C projects for Apple app development. According to the report, security researchers discovered a critical issue that could have allowed threat actors to inject malicious code and gain access to sensitive user data, putting more than 3 million iOS and macOS apps at risk.
Apple apps at risk
According to researchers at cybersecurity firm EVA Information Security, three previously undisclosed vulnerabilities were found in CocoaPods, which could have allowed threat actors to claim ownership of orphaned packages, known as pods. It is said to have enabled them to inject code into applications for the iOS and macOS platforms – the operating systems used by Apple’s iPhone and iPad devices, respectively.
This vulnerability was reported to have originated in 2014 on the “main” CocoaPods server, after a migration process. According to the researchers, threat actors were able to use the API and the email address – both available in the CocoaPods source code – to take ownership of the pods, replacing their original source code with their own malicious ones.
The researchers claim that another vulnerability would allow the email verification process to be used to run arbitrary code on the server, allowing a threat actor to manipulate and swap pods.
The exploits compromised millions of iOS and macOS apps, along with sensitive user data such as passwords, credit card information, medical records and more.
“Injecting code into these applications could allow attackers to access this information for almost any imaginable malicious purpose – ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to significant legal liability and reputational risk,” they said. researchers.
The vulnerabilities are further claimed to have been patched in October 2023. The researchers say they notified CocoaPods about them, after which all session keys were deleted to ensure secure access to the pods.
Previous vulnerabilities
This is not the first time CocoaPods has come under scrutiny for security flaws. In 2021, it was discovered that a malicious package published on Dependency Manager could allow threat actors to run arbitrary code on its servers due to a Remote Code Execution (RCE) issue, potentially putting millions of applications at risk.
This vulnerability was found to exist since 2015 and was not patched until 2021.
