It seems like several iOS and macOS devices have been exposed to security vulnerabilities as per research done by E.V.A. Information Security. The threat was reportedly found in CocoaPods, which is an open-source repository. Around 3 million iOS and macOS apps that were developed with CocoaPods have been vulnerable for almost a decade, the report suggests.
The threat involves CocoaPods, which programmers use to fuse existing software libraries into their apps. Currently, CocoaPods can be exploited to secretly introduce malicious code into apps that rely on them.
As E.V.A Information Security researchers, they have found many vulnerabilities in the CocoaPods dependency manager that enable any malicious actor to claim ownership over thousands of unclaimed pods. Reportedly, the malware can fuse malicious code into several popular iOS and macOS apps.
Also Read: LG Announces Gamer-Friendly M4 Wireless OLED TV
Are Apple iOS And MacOS Devices Under Threat?
The E.V.A. Information Security report explains such an attack on the mobile app ecosystem is capable of infecting almost all Apple devices. This could leave thousands of organizations vulnerable to financial and reputational damage.
So how does the threat work? According to the security company, an insecure email verification workflow could be exploited to run arbitrary code on the CocoaPods ‘Trunk’ server. This would enable an attacker to manipulate or replace the packages being downloaded, explained E.V.A. in an official blog.
CocoaPods can also allow zero-day attacks against the most advanced organizations’ infrastructure.“The most serious flaw is CVE-2024-38366, which created a way for hackers to take over unclaimed software packages, known as Pods, without going through any “ownership verification process,” the security firm highlighted. However, it can also increase the risk of software supply chain attacks.
Also Read: Xbox Live Finally Back After Several Hours Of Outage
Is Apple Taking Any Safety Measures?
Thankfully, all the vulnerabilities were patched after the report surfaced. The fixes are expected to include “wiping all session keys,” preventing any unauthorized users from making code updates.
The security firm also hinted that both developers and DevOps teams that have used CocoaPods in recent years should verify the integrity of open-source dependencies used in their application code.
As per the reports, a significant percentage of the Swift and Objective-C application ecosystem (including iOS, macOS, and other Apple device software) are vulnerable to the CocoaPods threat. The security firm also noted that the matter requires special attention. The software that relies on CocoaPod packages needs special attention, which do not have an owner assigned to them.