Cybersecurity researchers from EVA Information Security stated that CocoaPods, a dependency manager for Swift and Objective-C projects, carries three vulnerabilities in its trunk server.
One of these vulnerabilities lies in the email verification mechanism that the platform uses to verify pod developers. The developer accesses his account by entering the email address associated with the pod, and then a link is sent to the email address. However, the URL in this link can be modified to redirect to a server controlled by attackers.
Millions of users are at risk
The second vulnerability allows threat actors to hijack pods that have been abandoned by developers but are still used in applications. The third vulnerability allows attackers to run code on the trunk server.
The attack surface is quite large, as approximately 3 million mobile applications use some of the 100,000 libraries available on the platform. Moreover, when the library is changed, the applications are automatically updated without any interaction from the users.
“Many applications can access users’ most sensitive information: credit card information, medical records, private materials, and more. Injecting code into these applications allows attackers to use this information in almost every imaginable way: ransomware, fraud, blackmail, corporate espionage,” the researchers write in their article. “This process can expose companies to major legal liability and reputational risk.” They included their statements. What do you think about this issue? How do you interpret Apple’s exposure to this vulnerability?
The vulnerabilities were reported and fixed in October 2023, with no evidence of exploitation of these vulnerabilities in the wild at that time. Today, application developers and users do not need to take any precautions.
Source link: https://www.teknolojioku.com/guvenlik/ios-uygulamalarinda-korkutan-guvenlik-acigi-6685e5b88774cc93440145b5