Apple users may have been at risk for more than a decade due to a recently patched undetected vulnerability in CocoaPods, a dependency manager that hosts code libraries for Swift and Objective-C projects to develop apps for Apple. According to a report, security researchers discovered a critical issue that could have allowed threat actors to inject malicious code and access sensitive user data, putting more than 3 million iOS and macOS apps at risk.
Apple apps at risk
According to researchers at cybersecurity firm EVA Information Security, three previously undiscovered vulnerabilities were found in CocoaPods, which could have allowed threat actors to claim ownership of orphaned packages, known as pods. It is said to have allowed them to inject code into apps for iOS and macOS platforms, operating systems used by Apple's iPhone and iPad devices, respectively.
This vulnerability is reported to have originated in 2014 on the CocoaPods “trunk” server, following a migration process. According to the researchers, threat actors could have used an API and an email address, both available in the CocoaPods source code, to claim ownership of the pods, replacing their original source code with the malicious one.
The researchers claim that another vulnerability would have allowed the email verification process to be used to execute arbitrary code on the server, allowing the threat actor to manipulate and replace the pods.
The exploits put millions of iOS and macOS apps at risk, along with sensitive user data such as passwords, credit card details, medical records and more.
“Injecting code into these applications could allow attackers to access this information for almost any malicious purpose imaginable: ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to significant legal liability and reputational risk,” the researchers said.
Additionally, the vulnerabilities are said to have been patched in October 2023. The researchers say they notified CocoaPods, after which all session keys were removed to ensure secure access to the pods.
Previous vulnerabilities
This isn't the first time CocoaPods has come under scrutiny for security vulnerabilities. In 2021, it was discovered that a malicious package published in the dependency manager could allow threat actors to execute arbitrary code on their servers due to a remote code execution (RCE) issue, which could put risk millions of applications.
This vulnerability was found to exist since 2015 and was only patched in 2021.
