Apple CocoaPods Bugs Expose Apps to Code Injection
Millions of Apple apps face code injection risks from critical vulnerabilities in CocoaPods. E.V.A Information Security discovered three major flaws, including remote code execution. Developers are urged to address vulnerabilities promptly.
Read original article
Millions of Apple apps are at risk of code injection due to critical vulnerabilities in CocoaPods, a popular dependency manager used by developers in Apple's ecosystem. The platform, with over 100,000 libraries and three million apps, including popular ones like Instagram and Uber, has been exposed to serious bugs for years. E.V.A Information Security discovered three major vulnerabilities, with the most severe one allowing remote code execution. CocoaPods mishandled APIs since its 2014 migration, leaving thousands of pods orphaned and vulnerable to exploitation. An open-source component introduced in 2014 also posed a severe risk, allowing attackers to inject malicious code into pods. While there is no evidence of exploitation yet, the sheer number of at-risk pods over the past decade presents a significant supply chain risk. Developers are advised to take remediation steps, including checking for orphaned pods and reviewing dependencies thoroughly. Apple has been contacted for comment on the situation.
Related
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Apple admits its AirPods had a security problem
Apple addressed security vulnerabilities in AirPods and Beats Fit Pro headphones, preventing hackers from pairing devices with the wrong source. The company released updates to enhance customer protection, emphasizing privacy. Apple prioritizes privacy in its products, like Apple Intelligence, and declined AI collaborations with Meta over privacy concerns.
5 WordPress Plugins Compromised; Millions of Websites at Risk
Millions of WordPress sites face security risks from hacked plugins allowing unauthorized access. Owners urged to check, deactivate compromised plugins, update regularly, use strong passwords, two-factor authentication, and security plugins.
AirPods fast connect security vulnerability
A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.
2 commentsLove them or hate them, CocoaPods are still essential when building apps for Apple platforms. There are entire ecosystems like Kotlin Multiplatform, Flutter and others that depend on cocoapods. Many good (but old) libraries are only available as pods (some still in objective-c or even c++).
CocoaPods also offer features which are difficult or even impossible with Swift Packages especially for distributing more complex binaries and frameworks. And not to mention the britle tooling around Swift Packages, slower build times etc. SPM is not bad but it needs more time and attention to mature before it's ready to fully take over.
Related
The First Spatial Computing Hack
Ryan Pickren found a Safari bug letting websites flood a user's space with 3D objects. Apple fixed it (CVE-2024-27812) in June after Ryan's report. The bug exploited Apple AR Kit Quick Look, launching objects without consent.
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Apple admits its AirPods had a security problem
Apple addressed security vulnerabilities in AirPods and Beats Fit Pro headphones, preventing hackers from pairing devices with the wrong source. The company released updates to enhance customer protection, emphasizing privacy. Apple prioritizes privacy in its products, like Apple Intelligence, and declined AI collaborations with Meta over privacy concerns.
5 WordPress Plugins Compromised; Millions of Websites at Risk
Millions of WordPress sites face security risks from hacked plugins allowing unauthorized access. Owners urged to check, deactivate compromised plugins, update regularly, use strong passwords, two-factor authentication, and security plugins.
AirPods fast connect security vulnerability
A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.