[ad_1]
Many macOS and iOS apps are vulnerable to a vulnerability in CocoaPods, an open source dependency manager. EVA Information Security Disclosed on July 1. Since EVA first discovered the vulnerability, it has been patched and no attacks have been specifically linked to it.
However, this case is interesting because the vulnerability went undetected for so long and highlights how developers should be careful with open source libraries. This vulnerability is a reminder for developers and DevOps teams to check if any of their organization’s devices may be affected.
EVA said that “thousands of apps and millions of devices” may have been affected. The security team said they found vulnerable CocoaPods pods in the documentation or terms of service documents of “apps provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and others.”
EVA reports CocoaPods vulnerability October 2023, at which point it has been patched.
“The CocoaPods team responded to the vulnerability responsibly and quickly,” EVA Information Security wrote.
Vulnerabilities from CocoaPods
EVA Information Security did not initially look for vulnerabilities in CocoaPods, a dependency manager for Swift and Objective-C projects that verifies the legitimacy of open source components; instead, the team discovered the vulnerabilities while performing red team testing for a client.
See: CISA Recommendations Memory safe programming language For open source projects.
EVA reported several reasons for the vulnerability. First, CocoaPods moved from GitHub to the “trunk” server in 2014, but pod owners were required to manually reclaim their positions. Some of them did not do so, leaving 1,866 “orphan” pods unattended for the next 10 years. Anyone could request these pods from CocoaPods via email, which would allow attackers to inject malicious content.
Second, attackers can exploit an insecure email authentication process to run malicious code on a “backbone” server. They can then manipulate or replace software packages downloaded from that server.
Third, attackers can steal account verification tokens by forging HTTP headers and exploiting misconfigured email security tools. They can then use that token to change packages on the CocoaPods server, which could result in supply chain and Zero-day attacks.
What developers and DevOps teams can do to mitigate CocoaPods vulnerabilities
The CocoaPods vulnerability is a reminder for developers and DevOps teams not to forget about dependency managers, which can be a potential weak link in supply chain security. To address the CocoaPods vulnerability, developers and DevOps teams should carefully review the open source dependencies used in their application code.
EVA Recommendations:
- If you use software that depends on orphaned CocoaPods packages, sync your podfile.lock file with all CocoaPods developers to ensure that everyone is using the same versions of the packages.
- Check the list of dependencies and package managers used in your application.
- Verify checksums of third-party libraries.
- Regularly scan external libraries, especially CocoaPods, to detect malicious code or suspicious changes.
- Keep your software updated.
- Limit the use of orphaned or unmaintained CocoaPods packages.
- Be wary of potential exploits of widely used dependencies like CocoaPods.
[ad_2]
Source link
