Millions of iOS apps could have been hit by cyberattack due to this worrying flaw

News
By published

CocoaPods flaw allowed attackers to mount supply chain attacks

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

A key tool used primarily in iOS and macOS app development was vulnerable in a way that opened up millions of Mac apps to supply chain attacks, experts have warned.

Cybersecurity researchers EVA Information Security claim a dependency manager for Swift and Objective-C projects called CocoaPods, carried three vulnerabilities in a “trunk” server used to manage CocoaPods. 

One of the vulnerabilities resides in the verification email mechanism that the platform uses to authenticate pod developers. To gain access to an account, the developer would enter their email address associated with the pod, and then get a link sent to their email. However, the URL in the link could be altered to redirect the developer to a server under the attackers’ control. 

Millions of people at risk

The second vulnerability allowed threat actors to take over pods abandoned by developers - but still used in apps. The third vulnerability grants the attackers the ability to run code on the trunk server. 

Since roughly 3 million mobile apps are using some 100,000 libraries found on the platform, the attack surface is quite big. To make matters worse, once the library is altered, the apps using it would update it automatically, with no interaction from the end user. 

“Many applications can access a user’s most sensitive information: credit card details, medical records, private materials, and more,” the researchers said in their writeup. “Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable—ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk.”

The vulnerabilities were disclosed, and fixed, in October 2023 - and at the time, there was no evidence of in-the-wild abuse. Today, app developers and users are not required to do anything to secure their premises.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A close-up photo of an iPhone, with the App Store icon prominent in the center of the image.
Thousands of iOS apps found to expose user data and leak Stripe keys
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Holographic representation of cloud computing over open businessman's hand
Businesses are struggling to address vulnerabilities hidden in phantom dependencies
Apple's new "Share Item Location" feature for AirTags.
Apple security alert - zero-day patched, so update your devices now
Security
Microsoft reveals more on a potentially major Apple macOS security flaw
Latest in Security
An American flag flying outside the US Capitol building against a blue sky
The FCC is creating a security council to bolster US defenses against cyberattacks
Image depicting hands typing on a keyboard, with phishing hooks holding files, passwords and credit cards.
Microsoft warns about a new phishing campaign impersonating Booking.com
Ransomware
Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Meta warns of worrying security flaw hitting open source type software
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Biometrics add another layer of security to passwordless authentication
Data leak
Hacked Tata Technologies data leaked by ransomware gang
Latest in News
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
A graphic of the PC Gaming Show
Get ready for a bounty of PC games on June 8, as the PC Gaming show is back
A close up of The Daily podcast from Pocket Casts' web page
‘Podcasting shouldn’t be locked behind walled gardens’: Pocket Casts slams Spotify and makes its web player free to all
More about security
An American flag flying outside the US Capitol building against a blue sky

The FCC is creating a security council to bolster US defenses against cyberattacks
Ransomware

Microsoft uncovers sleuthy new XCSSET MacOS malware campaign
Google Gemini Flash 2.0 Images

I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
See more latest
Most Popular
Google Gemini Flash 2.0 Images
I tried Gemini's new AI image generation tool - here are 5 ways to get the best art from Google's Flash 2.0
Eurocom Raptor X18
At $15,000, this massive 256GB RAM laptop makes Apple's MacBook Pro look affordable, tiny and very, very slow
Dell Pro 75 Plus monitor pictured against a white background.
Dell just launched a $4,000 75-inch 4K touchscreen display - but I've found one rival that's 50% cheaper
An image of the Samsung Galaxy S25 Ultra from a hands-on event
Samsung Galaxy S26 Ultra could resurrect an intriguing camera feature
Quordle on a smartphone held in a hand
Quordle hints and answers for Friday, March 14 (game #1145)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Friday, March 14 (game #642)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Friday, March 14 (game #376)
Verizon logo on a building with blue sky above
Millions of Americans are missing out on cheap unlimited cloud storage - how to check if you are one of them
Cristin Milioti in Black Mirror season 7
Netflix launches trailer for Black Mirror season 7, giving us a look at its first-ever sequel episode and an unexpected returning character
The Toyota FT-Me Concept sitting in a car park
Toyota's self-charging concept EV could help you tackle the daily commute on solar power alone