Three million apps across iOS and macOS are exposed to the risk of powerful supply chain attacks

#头条创作挑战赛#

Quick guide

There is a decade-undiscovered vulnerability in the CocoaPods server that could lead to a supply chain attack that affects about 3 million macOS and iOS apps. The vulnerability was fixed in October, and the risk of code injection, revealed by EVA's information security team, could lead to unauthorized access to sensitive user information, potentially triggering ransomware and other malicious activities. The researchers found three vulnerabilities, one of which allowed an attacker to manipulate URLs, another that could take over deprecated pods, and a third that allowed an attacker to execute code on a backbone server. The exploitation of these vulnerabilities can pose a serious threat to user data security and company reputation, and need to be remediated in a timely manner to avoid potential risks.

CocoaPods 服务器中的漏洞

These vulnerabilities went undetected for a decade, exposing thousands of macOS and iOS apps to potential supply chain attacks. The vulnerabilities were fixed in October and are located on a central server that manages CocoaPods, a vital repository for about 3 million macOS and iOS apps. When developers make changes to their code packages (called "pods"), those changes are automatically incorporated into the dependent application via updates, often without any action on the part of the end user.

Code injection risk

The EVA information security team discovered these vulnerabilities, revealing the serious risks posed by injecting malicious code into applications. This can lead to unauthorized access to sensitive user information, including credit card details, medical records, and private data. Such breaches can lead to serious consequences, such as ransomware, fraud, and corporate espionage, posing legal and reputational risks to affected companies.

Exploit vulnerabilities

EVA researchers have identified three vulnerabilities that could be exploited to compromise the security of CocoaPods users. One of the vulnerabilities allowed an attacker to manipulate URLs to redirect users to servers they control, potentially exposing sensitive data. Another vulnerability enables an attacker to take over deprecated pods that are still in use, even without proof of ownership. In addition, a third vulnerability allows an attacker to exploit a vulnerability in the email address verification mechanism to execute code on a backbone server.