Decade-old vulnerabilities patched addressing supply chain risks to numerous Apple devices
Three long-standing vulnerabilities in CocoaPods, discovered by EVA Information Security, posed significant risks by potentially allowing malware injection into iOS and macOS apps before being patched in October 2023.
Researchers at cybersecurity firm EVA Information Security have uncovered three major vulnerabilities in CocoaPods, a widely used tool that simplifies the process of updating apps on iOS and macOS devices. These vulnerabilities, which went unnoticed for nearly a decade, posed significant risks as they could have allowed attackers to inject malware into apps utilizing CocoaPods. Given that CocoaPods is commonly used to integrate pre-written code into iOS and macOS apps, the vulnerabilities could have enabled attackers to modify app architectures with malicious code.
The vulnerabilities stem from a migration process in May 2014, which left thousands of CocoaPods packages ‘orphaned’ and potentially vulnerable. According to EVA researchers, CocoaPods is extensively used by iOS developers, including major companies like Google, GitHub, Amazon, Dropbox, and others, making the impact widespread across various projects and dependencies.
One of the most critical vulnerabilities, identified as CVE-2024-38368, could have been exploited by malicious actors to inject malware into apps using compromised packages, effectively bypassing security measures and compromising user data.
EVA responsibly disclosed these vulnerabilities to CocoaPods, which promptly patched them in October 2023 before publicly disclosing the findings. As of now, there are no known instances of these vulnerabilities being exploited by malicious actors. The proactive response from CocoaPods mitigated potential risks to app developers and users relying on the platform for their software development needs.