According to a report by The Cyber Express, the news service of threat intelligence vendor Cyble and Information Security researchers, three vulnerabilities were identified in the open-source CocoaPods dependency manager.
These vulnerabilities could allow malicious actors to take control of thousands of unclaimed pods and inject harmful code into many popular iOS and MacOS applications, potentially impacting 'almost every Apple device.'
The affected applications include those provided by Meta (Facebook, WhatsApp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams), as well as TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and more.
Although the vulnerabilities have been patched, the researchers discovered 685 pods that still had an explicit dependency using an orphaned pod.
There are likely hundreds or thousands more in proprietary codebases. Interestingly, these vulnerabilities date back to a May 2014 CocoaPods migration to a new 'Trunk' server, which left 1,866 orphaned pods that owners never reclaimed.
While the patches are in place, developers and DevOps teams who used CocoaPods before October 2023 face ongoing work. The E.V.A researchers advise them to verify the integrity of open-source dependencies in their application code.
These vulnerabilities could potentially allow control over the dependency manager itself and any published package.
The researchers emphasise that dependency managers are often overlooked in software supply chain security. They recommend that security leaders explore ways to enhance governance and oversight of these tools.
There is no direct evidence of these vulnerabilities being exploited in the wild, they might be and users are completely unaware of it/
.Potential code changes could impact millions of Apple devices worldwide, including iPhones, Macs, AppleTVs, and Apple Watches.
App developers and users don't need to take immediate action, but the E.V.A researchers suggest several protective measures. These include synchronising the podfile.lock file with all developers, perform CRC validation for internally developed pods, conduct thorough security reviews of third-party code and dependencies, regularly review and verify the maintenance status and ownership of CocoaPods dependencies, and be cautious about widely used dependencies as potential targets for attacks.