A vulnerability in open-source software Cocoapods can put applications such as Facebook, TikTok, Netflix on iOS and macOS at risk of attack.
The research team of EVA Information Security, a cybersecurity and testing company in Israel, said it discovered a bug in Cocoapods, a dependency manager widely used for coded software projects. programming languages Swift and Objective-C. Dependency Manager is an important tool in the software development process, allowing authentication and cryptographic signing of software packages. Therefore, having problems with such a tool will negatively impact many parts of the software or the web.
According to EVA Information Security, the problem may have existed since 2014, as a result of an uneven Cocoapods server migration process that left thousands of software library packages "orphaned", meaning no longer linked to the server. the original source file and cannot be traced back to its origin. This is a loophole that helps attackers replace the original source code with their malicious code.
"Due to shortcomings in system security, these packages can be hijacked by bad actors and then used to inject malicious code into software development tools for developers," a group representative wrote on the blog. "Because it went undetected for so long, it means thousands of apps and millions of devices have been exposed over the years."
With many applications having access to sensitive user information such as credit cards, medical records, and private documents, hackers can take advantage of vulnerabilities, install ransomware or other types of malicious code to collect data. collect them.
Also, according to the research team, Apple is "the center of the mess" when most iOS and macOS applications are coded in Swift and Objective-C languages, including popular names like TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook, Messenger. As a result, thousands of apps on these platforms could be affected, and "an attack on the mobile app ecosystem could infect most Apple devices, leaving thousands of organizations vulnerable." financial and reputational damage."
According to the research team, the above errors have now been patched by Cocoapods, but the fact that they have not been detected for nearly a decade is a cause for concern. The group recommends that developers review their product's source code to determine whether the software has errors or not.
Apple has not yet commented.