The Cocoapods vulnerabilities could threaten TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger, and many others.
A series of newly discovered vulnerabilities in a widely used open source software utility could spell big trouble for large parts of the iOS and MacOS ecosystems. The bugs in question could impact thousands of widely used apps, including popular programs like TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger, and many others, according to associated security research. While the open source components themselves have been patched, DevOps teams for impacted apps are surely scrambling to ensure that their systems are properly updated to protect users from potential exploitation.
The vulnerabilities were discovered in Cocoapods, a dependency manager widely used for software projects coded in the Swift and Objective-C programming languages. Dependency managers are vital tools in the software development process, allowing for the validation and cryptographic signing of software packages. The corruption of such a tool obviously has big (and bad) implications for large parts of the web.
The Cocoapods bugs were discovered by researchers with E.V.A. Information Security, a cybersecurity and pentesting firm. The bugs are the result of an imperfect Cocoapods server migration that took place back in 2014, the likes of which “orphaned” thousands of software packages. Due to the security deficiencies in the system, those packages could’ve easily been commandeered by a bad actor and (hypothetically) used to commit supply chain attacks that could introduce malicious code updates to the corporate software projects that rely on them.
