Millions of macOS and iOS apps were found to be vulnerable to potential supply-chain attacks due to undetected vulnerabilities that lasted for a decade. Researchers have warned that hackers could have exploited these vulnerabilities to insert malicious code, putting the security and privacy of millions, or even billions, of users at risk.
The vulnerabilities were discovered by researchers from EVA Information Security, who found that the vulnerabilities were related to a “trunk” server used to manage CocoaPods, a popular repository for open source Swift and Objective-C projects. Approximately 3 million macOS and iOS apps rely on CocoaPods, making them susceptible to attacks that could compromise sensitive information such as credit card details, medical records, and other private data.
One of the vulnerabilities involved an insecure verification email mechanism used to authenticate developers of individual pods. By manipulating the URL in the verification email, attackers could redirect users to a server under their control, allowing them to access sensitive information. Another vulnerability allowed attackers to take control of abandoned pods that were still being used by apps, while a third vulnerability enabled attackers to execute code on the trunk server.
The vulnerabilities were fixed in October, but the discovery highlights the importance of ensuring the security of the software supply chain. Developers and users should be vigilant about potential security risks and take steps to protect their devices from malicious attacks. The incident serves as a reminder of the ongoing threat posed by supply-chain attacks and the need for robust security measures to safeguard sensitive information.
