Pitch Deck Template
Startup Dubai Konnect

Millions of iOS apps were exposed to CocoaPods security breach

, By 9to5mac
Tech

Share via:


App Store fraud | Logo against hazard tape

Millions of iOS and macOS apps have been exposed to a security breach that could be used for potential supply-chain attacks, says an ArsTechnica report based on research by EVA Information Security. The exploit was found in CocoaPods, an open-source repository used by many popular apps developed for Apple platforms.

Exploit found in CocoaPods affected iOS and macOS apps

According to the report, around 3 million iOS and macOS apps that were built with CocoaPods have been vulnerable for around 10 years. For those unfamiliar, CocoaPods makes it easy for developers to integrate third-party code into their apps through open-source libraries. When a library is updated, apps using it automatically get the latest updates.

EVA Information Security revealed that the exploit could lead attackers to access sensitive app data such as credit card details, medical records, and private material. The data could be used for a number of malicious purposes, including ransomware, fraud, blackmail, and corporate espionage.

The vulnerabilities were related to an insecure email verification mechanism used to authenticate developers of individual pods (libraries). For example, an attacker could manipulate the URL in a verification link to point to a malicious server. The CocoaPods team has already taken steps to ensure that the exploits are fixed.

After the EVA researchers privately notified CocoaPods developers of the vulnerability, they wiped all session keys to ensure no one could access the accounts without first having control of the registered email address.

The CocoaPods maintainers also added a new procedure for recovering old orphan pods that requires contacting the maintainers directly. An author would need to contact the company to take over one of those dependencies at this point.

This isn’t the first time that CocoaPods has been targeted by attackers. In 2021, the project’s maintainers confirmed a security issue that allowed CocoaPods repositories to run arbitrary code on the servers that manage it. This could be used to replace existing packages by malicious versions with code that could end up shipping in iOS and Mac apps.

EVA researchers advise developers using CocoaPods in their apps to always review CocoaPods dependencies and run security scans to detect malicious code in all external libraries.

Read also

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Previous News
Google’s environmental report pointedly avoids AI’s actual energy cost
Next News
Aave protocol’s GHO stablecoin now live on Arbitrum
9to5mac
9to5mac

Popular

More Like this

Load more

Millions of iOS apps were exposed to CocoaPods security breach

, By 9to5mac
Tech


App Store fraud | Logo against hazard tape

Millions of iOS and macOS apps have been exposed to a security breach that could be used for potential supply-chain attacks, says an ArsTechnica report based on research by EVA Information Security. The exploit was found in CocoaPods, an open-source repository used by many popular apps developed for Apple platforms.

Exploit found in CocoaPods affected iOS and macOS apps

According to the report, around 3 million iOS and macOS apps that were built with CocoaPods have been vulnerable for around 10 years. For those unfamiliar, CocoaPods makes it easy for developers to integrate third-party code into their apps through open-source libraries. When a library is updated, apps using it automatically get the latest updates.

EVA Information Security revealed that the exploit could lead attackers to access sensitive app data such as credit card details, medical records, and private material. The data could be used for a number of malicious purposes, including ransomware, fraud, blackmail, and corporate espionage.

The vulnerabilities were related to an insecure email verification mechanism used to authenticate developers of individual pods (libraries). For example, an attacker could manipulate the URL in a verification link to point to a malicious server. The CocoaPods team has already taken steps to ensure that the exploits are fixed.

After the EVA researchers privately notified CocoaPods developers of the vulnerability, they wiped all session keys to ensure no one could access the accounts without first having control of the registered email address.

The CocoaPods maintainers also added a new procedure for recovering old orphan pods that requires contacting the maintainers directly. An author would need to contact the company to take over one of those dependencies at this point.

This isn’t the first time that CocoaPods has been targeted by attackers. In 2021, the project’s maintainers confirmed a security issue that allowed CocoaPods repositories to run arbitrary code on the servers that manage it. This could be used to replace existing packages by malicious versions with code that could end up shipping in iOS and Mac apps.

EVA researchers advise developers using CocoaPods in their apps to always review CocoaPods dependencies and run security scans to detect malicious code in all external libraries.

Read also

FTC: We use income earning auto affiliate links. More.



Source link

Disclaimer

We strive to uphold the highest ethical standards in all of our reporting and coverage. We StartupNews.fyi want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.

Website Upgradation is going on for any glitch kindly connect at office@startupnews.fyi

Previous News
Google’s environmental report pointedly avoids AI’s actual energy cost
Next News
Aave protocol’s GHO stablecoin now live on Arbitrum
9to5mac
9to5mac

More like this

Biden’s reelection odds brush single digits on Polymarket

Blockchain Cointelegraph -
Former U.S. President Donald Trump is still in...

Tesla’s India Plans Take A Backseat As EV Major...

All News INC42 -
SUMMARY Tesla executives are said to have stopped contacting...

Impact On Investments In The Gaming Industry

Startups INC42 -
SUMMARY The Indian government permits 100% Foreign Direct Investment...
Load more

Popular

Upcoming Events

View all
Event Updates

Startup Information that matters. Get in your inbox Daily!

Subscribe

StartupNews.fyi

Subscribe

© 2024 StartupNews.fyi | DOTFYI Media Ventures Private Limited. All Rights Reserved.

StartupNews.fyi

StartupNews.fyi is India's leading news & Technology media company that focuses on Startups in India and to stories across the globe.

© 2024 StartupNews.fyi | DOTFYI Media Ventures Private Limited. All Rights Reserved.