3 million iOS and macOS apps were exposed to potent supply-chain attacks
How were the vulnerabilities in CocoaPods' trunk server discovered?
The vulnerabilities in CocoaPods' trunk server were discovered by security researchers at E.V.A Information Security, who reached out to the CocoaPods team with their findings. The researchers identified three separate vulnerabilities that could be exploited to stage software supply chain attacks, putting downstream customers at severe risk2.
What vulnerabilities affected macOS and iOS apps for a decade?
The vulnerabilities that affected macOS and iOS apps for a decade were related to an insecure verification email mechanism used to authenticate developers of individual pods in the CocoaPods repository. These vulnerabilities allowed attackers to inject malicious code into apps and gain access to sensitive information, exposing millions of users to potential risks.
How did hackers potentially exploit these vulnerabilities?
Hackers could have exploited these vulnerabilities by injecting malicious code into open source Swift and Objective-C projects on the CocoaPods repository, which is used by approximately 3 million macOS and iOS apps. This could have compromised the security of millions or billions of users who installed the affected apps, potentially allowing attackers to access sensitive information for malicious purposes such as ransomware, fraud, and corporate espionage.