A key tool used primarily in iOS and macOS app development was vulnerable in a way that exposed millions of Mac apps to supply chain attacks, experts have warned.
Cybersecurity researchers EVA Information Security claim that a dependency manager for Swift and Objective-C projects called CocoaPods had three vulnerabilities in a “trunk” server used to manage CocoaPods.
One of the vulnerabilities lies in the verification email mechanism that the platform uses to authenticate pod developers. To gain access to an account, the developer must enter their email address associated with the pod and then receive a link in their email. However, the link URL could be modified to redirect the developer to a server under the attackers' control.
Millions of people at risk
The second vulnerability allowed threat actors to take control of pods abandoned by developers but still used in applications. The third vulnerability gives attackers the ability to execute code on the backbone server.
With approximately 3 million mobile apps using around 100,000 libraries on the platform, the attack surface is quite large. To make matters worse, once the library is modified, the apps that use it automatically update it, without any interaction from the end user.
“Many apps can access a user’s most sensitive information: credit card details, medical records, private materials, and more,” the researchers said in their paper. “Injecting code into these apps could allow attackers to access this information for almost any malicious purpose imaginable: ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to significant legal liabilities and reputational risks.”
The vulnerabilities were disclosed and patched in October 2023, and at the time, there was no evidence of network abuse. Today, app developers and users are not required to do anything to protect their installations.
