Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

A near inconceivable number of Apple apps have been exposed to critical vulnerabilities in a popular dependency manager for years now.
CocoaPods is a platform that developers in Apple's ecosystem use to add and manage external libraries.
This makes the pods prime targets for hackers, and the CocoaPods platform - should it contain some underlying, platform-wide vulnerability - a bona fide money pit.
As revealed by E.V.A Information Security in a report on Monday, it turns out that the CocoaPods platform did contain a trio of serious vulnerabilities.
The most severe of them - CVE-2024-38366, a remote code execution opportunity - was assigned a critical 10 out of 10 CVSS rating.
Another remarkable bug caused by pods without owners, CVE-2024-38368, earned a critical 9.3, and an 8.2 was given to the session verification-hijacking issue CVE-2024-38367.
CocoaPods Mishandled APIs for a Decade CocoaPods was first developed and released in 2011.
Shockingly, ownership over all pods was reset.
In other words, users reclaimed their pods by simply calling dibs.
Anyone in possession of this knowledge could have, at any point from 2014 to 2023, claimed anyone else's pod for themselves, modified it however they wished, and pushed that modification to any Apple apps that use it.
E.V.A found evidence of orphaned pods in documentation for apps like Facebook, Safari, Microsoft Teams, TikTok, Snapchat, and many more.
Max-Severity RCE Bug Tied to RubyGem Ironically, CocoaPods' worst vulnerability lay with an open source component it incorporated back in 2014 for validating user email addresses.
Thanks to some vulnerable methods in the RubyGem package rfc-22, an attacker could have injected arbitrary malicious code into the address field during Trunk's account validation process.
The type of malicious code such an attacker could silently add to a pod would be limitless, and this is just one way they could take advantage of such access.
They could use such access to shut down Trunk entirely, or steal session tokens from pod owners or CocoaPods itself.
Needle in a Haystack There's no clear evidence that attackers have exploited any of the issues uncovered by the researchers and patched by CocoaPods in October.
It's worth noting that the easily concealable nature of software supply chain bugs, combined with the sheer number of pods at risk for so long, would provide ample cover to anyone who has done so.
Finding a CocoaPods exploit over the past decade would make finding a needle in a haystack seem easy, but that hasn't happened.
E.V.A recommends that any developers of apps that have relied on pods prior to last October should pursue six steps for remediation such as checking for orphaned pods and thoroughly reviewing all third-party code dependencies.
Dark Reading has also reached out to Apple for comment.


This Cyber News was published on www.darkreading.com. Publication date: Mon, 01 Jul 2024 14:20:08 +0000


Cyber News related to Apple CocoaPods Bugs Expose Millions of Apps to Code Injection

Apple CocoaPods Bugs Expose Millions of Apps to Code Injection - A near inconceivable number of Apple apps have been exposed to critical vulnerabilities in a popular dependency manager for years now. CocoaPods is a platform that developers in Apple's ecosystem use to add and manage external libraries. This makes ...
5 months ago Darkreading.com
'Almost every Apple device' vulnerable to CocoaPods The Register - CocoaPods, an open-source dependency manager used in over three million applications coded in Swift and Objective-C, left thousands of packages exposed and ready for takeover for nearly a decade - thereby creating opportunities for supply chain ...
5 months ago Packetstormsecurity.com
Critical CocoaPods Flaws Exposed Many iOS, macOS Apps to Supply Chain Attacks - Critical vulnerabilities in the CocoaPods dependency manager could have allowed threat actors to take over thousands of orphaned packages, execute shell commands, and take over accounts, potentially impacting millions of iOS and macOS applications, ...
5 months ago Securityweek.com
ChatGPT Clone Apps Collecting Personal Data on iOS, Play Store - On Android devices, one of the apps analyzed by researchers has more than 100,000 downloads, tracks, and shares location data with ByteDance and Amazon, etc. ChatGPT, the AI software, has already taken the Internet by storm, and that is why ...
1 year ago Hackread.com
Data Insecurity: Experts Sound the Alarm on 4 Apps Putting User Privacy at Risk - Even though many of us rely on apps to entertain us, guide us, manage our exercise, and connect with family and friends, they are notoriously hard to trust. In an age when technology is constantly evolving, it is almost impossible to tell if a ...
1 year ago Cysecurity.news
CVE of the month, the supply chain attack hidden for 10 years CVE-2024-38368 - CVE-2024-38368 is a vulnerability that affects the open-source supply chain of iOS and MacOS applications. CocoaPod is a dependency manager for Swift and Objective-C, essentially it is the NPM, RubyGems or PyPi equivalent of Swift and Objective-C. ...
5 months ago Securityboulevard.com
Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores - Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. These apps, found on Apple’s App Store and Google Play, and on phishing sites, are part of a Pig Butchering scam targeting cryptocurrency investors ...
2 months ago Hackread.com
Halting Hackers on the Holidays 2023 Part II: The Apps You Trust - Most free flashlight apps are creepware - also known as malware that spies on you and your online behavior and could pass along information to others. The problem doesn't begin and end with flashlight apps, though. Many seemingly innocuous apps that ...
1 year ago Cyberdefensemagazine.com
What Do Apple's EU App Store Changes Mean for App Developers? - In order to comply with the European Union's Digital Markets Act, Apple announced on Jan. 25 changes to its payment system for app sellers in the EU, and that it was letting go of the hold its App Store has over iOS app distribution in the EU. As ...
10 months ago Techrepublic.com
17 Risky Apps Threatening Your Smartphone Security - Users of Google Android and Apple iPhone smartphones have recently received a vital warning to immediately remove certain apps from their devices. The programs that were found to be potentially dangerous have been marked as posing serious concerns to ...
1 year ago Cysecurity.news
Google Online Security Blog: I/O 2024: What's new in Android security and privacy - As their tactics evolve in sophistication and scale, we continually adapt and enhance our advanced security features and AI-powered protections to help keep Android users safe. Today, we're announcing more new fraud and scam protection features ...
7 months ago Security.googleblog.com
Crypto scam apps infiltrate Apple App Store and Google Play - Operators of high-yielding investment scams known as "Pig butchering" have found a way to bypass the defenses in Google Play and Apple's App Store, the official repositories for Android and iOS apps. Pig butchering scams have been happening for a few ...
1 year ago Bleepingcomputer.com
Big Tech to EU: "Drop Dead" - There's just one wrinkle: the Big Tech companies don't want that future, and they're trying their damndest to strangle it in its cradle. Right from the start, it was obvious that the tech giants were going to war against the DMA, and the freedom it ...
7 months ago Eff.org
Alert: iPhone Push Notifications Exploited Users Data - The security researcher found users privacy concerns in iPhone push notifications, the apps accessing the accelerometer. It also details some privacy concerns regarding app access to this sensor. Some apps have been found to collect accelerometer ...
10 months ago Hackersonlineclub.com
Fraudsters Successfully Inserted Cryptocurrency Programs into Apple and Google's App Stores - Scammers were able to get two malicious apps onto the app stores of both Google and Apple, allowing them to trick users into investing in fake cryptocurrency. According to a report from Sophos, the apps, Ace Pro and MBM BitScan, were found on both ...
1 year ago Therecord.media
Ushering in the Next Phase of Mobile App Adoption: Bolstering Growth with Unyielding Security - In recent years, mobile apps have surged in popularity providing consumers with instant access to a variety of life essentials such as finances, education, and healthcare to life's pleasures such as shopping, sports, and gaming. With the popularity ...
1 year ago Cyberdefensemagazine.com
10 Key Things You Need to Know About the Sophisticated Vastflux Ad Fraud Scheme - At the end of April 2015, researchers from Distil Networks reported the discovery of a sophisticated ad fraud network, Vastflux, which had been around since at least January 2014. The network used sophisticated malware targeting both iOS and Android ...
1 year ago Securityweek.com
This year's resolution: remove nosey apps from your device - Some apps are plain greedy-like a stranger you invite for a meal who insists on ordering everything on the menu. Here's what upset me: After I downloaded the companion app that helps control it for my phone, the app wanted permission to make and ...
1 year ago Blog.avast.com
10 Ways a Digital Shield Protects Apps and APIs - While far from perfect, this approach provided multilayer security defenses to protect apps and APIs. As network architectures gradually became more complex, so did protecting apps and APIs. The on-premises enterprise environment gave way to a hybrid ...
7 months ago Darkreading.com
Apple To Drop Sensor From Some Watch Models - Redesign plan to remove blood-oxygen sensor on certain Apple Watch models is dependent on an appeal court decision. Apple is reportedly prepared to remove the blood-oxygen sensor from certain Apple Watch models, depending on a court decision. The ...
11 months ago Silicon.co.uk
Days After Google, Apple Reveals Exploited Zero-Day in Browser Engine - Apple has patched an actively exploited zero-day bug in its WebKit browser engine for Safari. Actively Exploited Apple yesterday described the vulnerability as something an attacker could exploit to execute arbitrary code on affected systems. ...
10 months ago Darkreading.com
Apple 'Find My' network can be abused to steal keylogged passwords - Apple's "Find My" location network can be abused by malicious actors to stealthily transmit sensitive information captured by keyloggers installed in keyboards. The Find My network and application is designed to help users locate lost or misplaced ...
1 year ago Bleepingcomputer.com
CVE-2024-38367 - trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a ...
3 months ago
Without Interoperability, Apple Customers Will Never Be Secure - Every internet user should have the ability to privately communicate with the people that matter to them, in a secure fashion, using the tools and protocols of their choosing. Apple's iMessage offers end-to-end encrypted messaging for its customers, ...
1 year ago Eff.org
Apple Move iPad Engineering To Vietnam - Fresh reports of Apple shifting manufacturing from China, with iPad product development resources relocated to Vietnam. Apple continues to strengthen its manufacturing and development capabilities outside of mainland China, according to recent media ...
1 year ago Silicon.co.uk

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)