Experts warn that a key tool used primarily in iOS and macOS app development was vulnerable to supply chain attacks.
Cybersecurity researchers EVA Information Security claim that a dependency manager for Swift and Objective-C projects, called CocoaPods, contained three vulnerabilities in a ‘trunk’ server used to manage CocoaPods.
One of the vulnerabilities lies in the verification email mechanism that the platform uses to authenticate pod developers. To gain access to an account, the developer would enter their email address associated with the pod and then receive a link to their email address. However, the URL in the link can be modified to redirect the developer to a server under the attackers’ control.
Millions of people are at risk
The second vulnerability allowed threat actors to take over pods that had been abandoned by developers but were still being used in apps. The third vulnerability gives attackers the ability to execute code on the trunk server.
With around 3 million mobile apps using around 100,000 libraries on the platform, the attack surface is quite large. To make matters worse, once the library is changed, the apps using it automatically update it without any interaction from the end user.
“Many applications can access a user’s most sensitive information: credit card details, medical records, private material, and more,” the researchers wrote in their report. “By injecting code into these applications, attackers can use this information for almost any malicious purpose imaginable: ransomware, fraud, blackmail, corporate espionage… In the process, it can expose companies to significant legal liabilities and reputational risk.”
The vulnerabilities were disclosed and fixed in October 2023 – and at the time, there was no evidence of in-the-wild exploitation. Today, app developers and users don’t need to do anything to secure their properties.