A series of newly discovered vulnerabilities in a widely used open source software program could spell big trouble for large parts of the iOS and MacOS ecosystems. The bugs in question can affect thousands of widely used apps, including popular programs like TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger and many others, according to related security research. While the open source components themselves have been patched, DevOps teams for the affected applications are certainly struggling to ensure their systems are properly updated to protect users from potential exploitation.
The vulnerabilities were discovered in Cocoa pods, a dependency manager widely used for software projects coded in the Swift and Objective-C programming languages. Dependency managers are vital tools in the software development process, enabling validation and cryptographic signing of software packages. Corruption of such a tool obviously has big (and bad) consequences for large parts of the network.
Cocoapods bugs were discovered by researchers at EVA Information Security, a cybersecurity and pentest firm. The bugs are the result of an imperfect Cocoapods server migration that took place in 2014, the likes of which “orphaned” thousands of software packages. Due to system security flaws, these packages could easily be hijacked by a bad player and (hypothetically) used to launch supply chain attacks that could introduce malicious code updates to enterprise software projects that rely on them . Researchers break the situation down like this:
A 2014 migration process left thousands of orphaned packages (where the original owner is unknown), many of which are still widely used in other libraries. Using a public API and an email address that is available in the CocoaPods source code, an attacker can claim ownership of any of these packages, which will then allow the attacker to replace the original source code with their own malicious code… The vulnerabilities we discovered could be used to control the dependency manager itself and any published package. Downstream dependencies can mean thousands of apps and millions of devices have been exposed over the past few years.
All three bugs have since been patched, but their severity and the fact that they’ve been exposed for nine years certainly keep many software teams up at night. The reason Apple is front and center in this mess is that many iOS and MacOS apps are coded using both Swift and Lens-C languages, making them particularly susceptible to the problems under consideration. The researchers wrote that the bugs could affect either “thousands” or “millions” of apps, and that “an attack on the mobile app ecosystem could infect nearly every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage.”
The researchers say they have yet to see any evidence to suggest that the apps were actually compromised. However, if some were, this could obviously lead to major problems for users. The researchers note that because many apps can “access a user’s most sensitive information: credit card details, medical records, personal materials,” a cybercriminal could inject code into the apps through the compromised modules, allowing them to “gain access to this information for almost any malicious possible purpose – ransomware, fraud, extortion, corporate espionage.”
The researchers urged enterprise developers to review their products and “verify the integrity of open source dependencies used in their application code,” thereby ensuring that their systems and their customers are not at risk.
The security vulnerabilities that may occur in open source software are well known. The commercial software industry relies on FOSS to build its commercial products, but little time is spent on strengthening and securing the free software ecosystem from which the entire Internet is built. The end results, predictably, are not good.
Gizmodo has reached out to Apple for comment and will update this story if it responds.
