New Open Source Bugs Leave Thousands of iOS Apps Vulnerable to Hijacking
What vulnerabilities were found in Cocoapods?
Three vulnerabilities were discovered in Cocoapods, a dependency manager for Swift and Objective-C projects. These vulnerabilities allowed malicious actors to claim ownership over thousands of unclaimed pods and insert malicious code into many popular iOS and macOS applications5. The vulnerabilities stemmed from an insecure email verification mechanism used to authenticate developers of individual pods. The issues have since been patched by Cocoapods.
How do dependency managers affect software security?
Dependency managers are essential for software development, but they can also introduce security risks. If a dependency has vulnerabilities, it can impact the entire software ecosystem. In the case of the Cocoapods bugs, the dependency manager could have been compromised, potentially allowing attackers to control the dependency manager and any published package. This could have affected thousands of applications and millions of devices, highlighting the importance of proper management and regular updates of dependencies to ensure software security.
What caused the Cocoapods vulnerabilities?
The Cocoapods vulnerabilities were caused by an imperfect server migration in 2014 that left thousands of software packages orphaned, allowing bad actors to potentially commandeer them and use them for supply chain attacks. The bugs were discovered in the dependency manager for Swift and Objective-C projects, which is widely used for iOS and MacOS apps.