Israel-based cybersecurity and testing company EVA Information Security has discovered a bug in Cocoapods, a widely used dependency manager for software projects coded in the Swift and Objective-C programming languages.
Dependency Manager is an important tool in software development, allowing for the validation and cryptographic signing of software packages. Therefore, a problem with such a tool can have a negative impact on many parts of the software or web.
According to EVA Information Security, the issue may have existed since 2014, and is the result of a botched Cocoapods server migration that left thousands of software library packages unlinked to their original source files and unable to trace their origins. This is a loophole that allows attackers to replace the original source code with their own malicious code.
"Due to system security shortcomings, these packages can be hijacked by bad guys and then used to inject malware into software development tools for developers. Because they were not detected for a long time, it means that thousands of applications and millions of devices have been exposed over the years," the company's representative said.
With many apps having access to sensitive user information like credit cards, medical records, and private documents, hackers can exploit vulnerabilities, install ransomware, or other types of malware to collect them.
EVA Information Security believes that Apple is "at the center of the mess" when most iOS and macOS applications are coded in Swift and Objective-C languages, including popular names such as TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook, Messenger.
As a result, thousands of apps on these platforms could be affected. An attack on the mobile app ecosystem could infect most Apple devices, leaving thousands of organizations vulnerable financially and reputationally.
The bugs have reportedly been patched by Cocoapods, but the fact that they went undiscovered for nearly a decade is a cause for concern. EVA Information Security recommends that developers review their product's source code to determine if their software is vulnerable.
Apple has not yet commented on the news.
Source: https://kinhtedothi.vn/canh-bao-lo-hong-nguy-hiem-tan-cong-he-dieu-hanh-ios.html
![[Infographic] In 2025, 47 products will achieve national OCOP](https://vphoto.vietnam.vn/thumb/402x226/vietnam/resource/IMAGE/2025/7/16/5d672398b0744db3ab920e05db8e5b7d)
Comment (0)