3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
Read original article
A recent discovery revealed that vulnerabilities in a server managing CocoaPods, a repository for macOS and iOS apps, exposed around 3 million apps to supply-chain attacks for a decade. These vulnerabilities were fixed last October but could have allowed hackers to inject malicious code into apps, compromising sensitive user information like credit card details and medical records. The flaws included an insecure email verification mechanism, enabling attackers to gain access to accounts and manipulate URLs to redirect to their servers. Another vulnerability allowed control over abandoned pods still used by apps, while a third flaw permitted code execution on the server. The risks posed by these vulnerabilities highlight the importance of verifying third-party libraries for security. The incident underscores the need for developers to prioritize security measures and conduct regular audits to protect users from potential threats.
Related
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Apple admits its AirPods had a security problem
Apple addressed security vulnerabilities in AirPods and Beats Fit Pro headphones, preventing hackers from pairing devices with the wrong source. The company released updates to enhance customer protection, emphasizing privacy. Apple prioritizes privacy in its products, like Apple Intelligence, and declined AI collaborations with Meta over privacy concerns.
AirPods fast connect security vulnerability
A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.
Apple CocoaPods Bugs Expose Apps to Code Injection
Millions of Apple apps face code injection risks from critical vulnerabilities in CocoaPods. E.V.A Information Security discovered three major flaws, including remote code execution. Developers are urged to address vulnerabilities promptly.
'Almost every Apple device' vulnerable to CocoaPods
Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.
1 commentsRelated
Leaking URLs to the Clown
The author describes leaking URLs during Mac app testing, with a unique URL receiving requests from a random "cloud" service every three hours. This raises privacy concerns and highlights potential risks for users.
Apple admits its AirPods had a security problem
Apple addressed security vulnerabilities in AirPods and Beats Fit Pro headphones, preventing hackers from pairing devices with the wrong source. The company released updates to enhance customer protection, emphasizing privacy. Apple prioritizes privacy in its products, like Apple Intelligence, and declined AI collaborations with Meta over privacy concerns.
AirPods fast connect security vulnerability
A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.
Apple CocoaPods Bugs Expose Apps to Code Injection
Millions of Apple apps face code injection risks from critical vulnerabilities in CocoaPods. E.V.A Information Security discovered three major flaws, including remote code execution. Developers are urged to address vulnerabilities promptly.
'Almost every Apple device' vulnerable to CocoaPods
Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.