Decade-Long Vulnerabilities Put Millions of iOS and macOS Apps at Risk

Sophia Taylor

By Sophia Taylor

Published:

Researchers from EVA Information Security recently uncovered significant security vulnerabilities within CocoaPods, a popular dependency manager for Swift and Objective-C projects. These vulnerabilities posed severe risks, allowing potential attackers to infiltrate iPhone and Mac apps and access sensitive information, including credit card details, medical records, and other confidential data.

Exploitation and Risks

The discovered vulnerabilities could facilitate various malicious activities such as ransomware attacks, fraud, blackmail, and corporate espionage. “In the process, it could expose companies to major legal liabilities and reputational risk,” EVA Information Security researchers noted.

Vulnerabilities in Detail

  • Email Verification Exploit (CVE-2024-38367): The primary issue arose from the email verification process used to authenticate CocoaPods developers. Attackers could manipulate the verification link to redirect to their malicious server, enabling unauthorized access to the apps.
  • Control of Abandoned Pods (CVE-2024-38368): Another vulnerability allowed attackers to take over pods that were no longer maintained by their original developers but were still in use. An old interface intended for developers to reclaim these pods was exploitable, remaining active nearly a decade after its implementation.
  • Arbitrary Code Execution (CVE-2024-38366): The third vulnerability allowed attackers to execute arbitrary code on the trunk server, potentially compromising the entire server infrastructure.

The Impact

The implications of these vulnerabilities are vast. CocoaPods supports over 100,000 libraries used by more than 3 million apps. If exploited, these security flaws could lead to significant data breaches and wide-scale supply-chain attacks, compromising the integrity of numerous applications.

Response and Mitigation

Fortunately, the CocoaPods team has addressed these issues. Following the discovery of the vulnerabilities in October 2023, they have patched the system, removed all potentially stolen session keys, and implemented new processes to recover orphaned pods.

While no active attacks exploiting these vulnerabilities have been detected, the risks highlighted by EVA Information Security underline the importance of robust security measures in software development.

Moving Forward

EVA Information Security has provided guidelines to developers on mitigating these vulnerabilities, emphasizing the need for continuous vigilance and proactive security practices. Developers are encouraged to review these methods to ensure the integrity and security of their applications.
For more detailed information on addressing these vulnerabilities, you can visit EVA Information Security’s recommendations here.