Information security specialists from EVA Information Security have discovered several vulnerabilities in the CocoaPods dependency manager, which allows developers to transfer functions from other applications to their own. The problem affected about 3 million applications for iOS and macOS that use CocoaPods in their work.
Exploitation of these vulnerabilities could result in attackers gaining access to sensitive application data, including users’ bank card numbers, medical records, etc. Such information can be used to commit a number of crimes, such as fraud, blackmail, and corporate espionage.
Details of the Vulnerabilities
The vulnerabilities are reportedly related to the email authentication mechanism used to authenticate developers of individual libraries. For example, an attacker could change the URL in a verification link so that it redirects to a malicious server. The CocoaPods developers have fixed all discovered vulnerabilities after receiving a corresponding message from EVA.
Historical Context and Ongoing Updates
Note that this is not the first time that dangerous vulnerabilities have been found in CocoaPods. In 2021, developers confirmed a vulnerability that allowed CocoaPods repositories to run arbitrary code on the servers that manage them. Such a bug could be used by attackers to replace legitimate code with malicious packages, which could ultimately end up in applications for iOS and macOS, notes NIXSolutions.
We’ll keep you updated on any new developments regarding CocoaPods security. Be sure to stay informed to protect your applications and sensitive data from potential threats.