Cybersecurity experts at E.V.A Information Security discovered significant vulnerabilities in CocoaPods, a widely utilized tool for app development on iPhones and Macs.
These vulnerabilities were discovered during a server update in 2014, which made thousands of app-building components susceptible to hackers.
The problems arise from an error that occurred during a CocoaPods update in 2014. This update caused a situation where approximately 1,866 parts of CocoaPods, also known as “pods,” were left without proper owners or protectors.
These pods, which were left without protection, became susceptible to attacks, enabling hackers to inject malicious code into them.
Given the widespread usage of these pods in popular apps across Apple devices, the potential impact of an attack could be significant.
A significant vulnerability, identified as CVE-2024-38366, arose due to a modification in the email address verification process employed by CocoaPods during registration.
This change introduced a vulnerability that could be taken advantage of by hackers to gain unauthorized access to the system, potentially resulting in data theft or the insertion of harmful code.
Additionally, the update was found to be associated with two other vulnerabilities, namely CVE-2024-38368 and CVE-2024-38367.
There was a vulnerability, CVE-2024-38368, that allowed hackers to manipulate orphaned pods and modify their contents. They were able to gain unauthorized access to their accounts by pretending to be legitimate users.
The vulnerabilities have a major impact as they are present in CocoaPods, which are widely used in applications developed by major tech companies such as Meta (owner of Facebook and WhatsApp), Apple (for apps like Safari and Xcode), and Microsoft (for Teams).
In addition, TikTok, Snapchat, and Netflix, along with other popular social media apps and entertainment services, also depend on CocoaPods.
Knowing that these applications amount to billions of users every month, the potential risk of the vulnerability can pose a serious threat to everyone who primarily uses an Apple device.
The vulnerabilities have been addressed and patched, however, the researchers have come across 685 Pods that rely on orphaned Pods. There is a strong possibility that there are numerous instances in proprietary codebases.
Security experts strongly recommend that developers who have used CocoaPods in their applications, especially prior to October 2023, should conduct thorough inspections and verification of their dependency lists.