'Almost every Apple device' vulnerable to CocoaPods
Security researchers found vulnerabilities in CocoaPods, allowing malicious code insertion and remote code execution. Pod owners were at risk of a zero-click takeover. CocoaPods issued patches, emphasizing the need for secure software development practices.
Read original article
Security researchers discovered a vulnerability in CocoaPods, an open-source dependency manager used in millions of iOS and macOS apps. The issue, known as CVE-2024-38368, allowed attackers to claim unowned Pods and insert malicious code. Another vulnerability, CVE-2024-38366, enabled remote code execution on the Trunk server. A third vulnerability, CVE-2024-38367, exploited email scanning software to steal session validation tokens. The researchers warned that almost every Pod owner was vulnerable to a zero-click takeover due to email security flaws. While there is no evidence of exploitation, the potential impact on the Apple ecosystem is significant. CocoaPods has since patched the vulnerabilities, but users are advised to review dependencies, validate code, and update installations. This incident underscores the risks associated with open-source dependencies and the importance of supply chain security in software development.
Related
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
AirPods fast connect security vulnerability
A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.
Apple CocoaPods Bugs Expose Apps to Code Injection
Millions of Apple apps face code injection risks from critical vulnerabilities in CocoaPods. E.V.A Information Security discovered three major flaws, including remote code execution. Developers are urged to address vulnerabilities promptly.
Remote Unauthenticated Code Execution in OpenSSH Server
Qualys found regreSSHion, a critical RCE flaw in OpenSSH on glibc-based Linux systems. Over 14 million servers are at risk, with potential root access. Qualys created an exploit but delays release for patching.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.
2 commentsRelated
I found a 1-click exploit in South Korea's biggest mobile chat app
A critical exploit in KakaoTalk allows attackers to run JavaScript in a WebView, potentially compromising user accounts by stealing access tokens. The exploit highlights the need to address security vulnerabilities in messaging apps.
AirPods fast connect security vulnerability
A security flaw (CVE-2024-27867) in Apple AirPods firmware allows unauthorized access via Bluetooth MAC address. Firmware updates released for affected models. Users with non-Apple devices may encounter difficulties updating.
Apple CocoaPods Bugs Expose Apps to Code Injection
Millions of Apple apps face code injection risks from critical vulnerabilities in CocoaPods. E.V.A Information Security discovered three major flaws, including remote code execution. Developers are urged to address vulnerabilities promptly.
Remote Unauthenticated Code Execution in OpenSSH Server
Qualys found regreSSHion, a critical RCE flaw in OpenSSH on glibc-based Linux systems. Over 14 million servers are at risk, with potential root access. Qualys created an exploit but delays release for patching.
3M iOS and macOS apps were exposed to potent supply-chain attacks
Vulnerabilities in CocoaPods server exposed 3 million apps to supply-chain attacks for a decade. Flaws allowed hackers to inject malicious code, compromising sensitive user data. Developers urged to prioritize security measures.