A series of newly discovered vulnerabilities in a widely used open source software utility could spell big trouble for large parts of the iOS and MacOS ecosystems. The bugs in question could impact thousands of widely used apps, including popular programs like TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger, and many others, according to associated security research. While the open source components themselves have been patched, DevOps teams for impacted apps are surely scrambling to ensure that their systems are properly updated to protect users from potential exploitation.
The vulnerabilities were discovered in Cocoapods, a dependency manager widely used for software projects coded in the Swift and Objective-C programming languages. Dependency managers are vital tools in the software development process, allowing for the validation and cryptographic signing of software packages. The corruption of such a tool obviously has big (and bad) implications for large parts of the web.
The Cocoapods bugs were discovered by researchers with E.V.A. Information Security, a cybersecurity and pentesting firm. The bugs are the result of an imperfect Cocoapods server migration that took place back in 2014, the likes of which “orphaned” thousands of software packages. Due to the security deficiencies in the system, those packages could’ve easily been commandeered by a bad actor and (hypothetically) used to commit supply chain attacks that could introduce malicious code updates to the corporate software projects that rely on them. Researchers break the situation down like this:
A 2014 migration process left thousands of orphaned packages (where the original owner is unknown), many of which are still widely used in other libraries. Using a public API and an email address that was available in the CocoaPods source code, an attacker could claim ownership over any of these packages, which would then allow the attacker to replace the original source code with their own malicious code…The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package. Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years.
All three of the bugs have since been patched, but their severity, and the fact that they were left exposed for as many as nine years, is surely keeping a lot of software teams up at night. The reason why Apple is at the front and center of this mess is that many iOS and MacOS apps are coded using both Swift and Objective-C languages, making them particularly susceptible to the issues at play. Researchers write that the bugs could impact either “thousands” or “millions” of apps, and that an “attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage.”
Researchers say they haven’t seen any evidence yet that suggests apps were actually compromised. However, if some were, it could obviously spell major trouble for users. Researchers note that because many apps can “access a user’s most sensitive information: credit card details, medical records, private materials,” a cybercriminal could inject code into the apps via the compromised pods, enabling them “to access this information for almost any malicious purpose imaginable – ransomware, fraud, blackmail, corporate espionage.”
Researchers have urged corporate developers to review their products and “verify the integrity of open source dependencies used in their application code,” thus ensuring that their systems and their customers are not exposed.
The security deficiencies that can arise in open source software are well-known. The commercial software industry relies on FOSS to build its commercial products, but little time is spent on shoring up and securing the free software ecosystem that the entire internet is built off of. The end-results are, predictably, not good.
Gizmodo reached out to Apple for comment and will update this story if it responds.