The Cocoapods vulnerabilities could threaten TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger, and many others.
A series of newly discovered vulnerabilities in a widely used open source software utility could spell big trouble for large parts of the iOS and MacOS ecosystems. The bugs in question could impact thousands of widely used apps, including popular programs like TikTok, Snapchat , LinkedIn, Netflix , Microsoft Teams, Facebook Messenger, and many others, according to associated security research.
While the open source components themselves have been patched, DevOps teams for impacted apps are surely scrambling to ensure that their systems are properly updated to protect users from potential exploitation. The vulnerabilities were discovered in Cocoapods, a dependency manager widely used for software projects coded in the Swift and Objective-C programming languages. Dependency managers are vital tools in the software development process, allowing for the validation and cryptographic signing of software packages. The corruption of such a tool obviously has big implications for large parts of the web. The Cocoapods bugs were discovered by researchers with E.V.A. Information Security, a cybersecurity and pentesting firm. The bugs are the result of an imperfect Cocoapods server migration that took place back in 2014, the likes of which “orphaned” thousands of software packages. Due to the security deficiencies in the system, those packages could’ve easily been commandeered by a bad actor and used to commit supply chain attacks that could introduce malicious code updates to the corporate software projects that rely on them. Researchers break the situation down like this: A 2014 migration process left thousands of orphaned packages , many of which are still widely used in other libraries. Using a public API and an email address that was available in the CocoaPods source code, an attacker could claim ownership over any of these packages, which would then allow the attacker to replace the original source code with their own malicious code...The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package. Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years. All three of the bugs have since been patched, but their severity, and the fact that they were left exposed for as many as nine years, is surely keeping a lot of software teams up at night. The reason why Apple is at the front and center of this mess is that many iOS and MacOS apps are coded using both Swift and Objective-C languages, making them particularly susceptible to the issues at play. Researchers write that the bugs could impact either “thousands” or “millions” of apps, and that an “attack on the mobile app ecosystem could infect almost every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage.” Researchers say they haven’t seen any evidence yet that suggests apps were actually compromised. However, if some were, it could obviously spell major trouble for users. Researchers note that because many apps can “access a user’s most sensitive information: credit card details, medical records, private materials,” a cybercriminal could inject code into the apps via the compromised pods, enabling them “to access this information for almost any malicious purpose imaginable - ransomware, fraud, blackmail, corporate espionage.” Researchers have urged corporate developers to review their products and “verify the integrity of open source dependencies used in their application code,” thus ensuring that their systems and their customers are not exposed. The security deficiencies that can arise in open source software are well-known. The commercial software industry relies on FOSS to build its commercial products, but little time is spent on shoring up and securing the free software ecosystem that the entire internet is built off of. The end-results are, predictably, not good. Gizmodo reached out to Apple for comment and will update this story if it responds.
App Store Cryptography Cybercrime Netflix Supply Chain Attack Patch Microsoft Hacking Technology Internet Software Cyberattack Tiktok SNAPCHAT Package Manager Linkedin Vulnerability Computer Security Gizmodo
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
New open-source platform allows users to evaluate performance of AI-powered chatbotsResearchers have developed a platform for the interactive evaluation of AI-powered chatbots such as ChatGPT.
Read more »
Chicago's Shedd Aquarium to open new learning center, launch new education programsChicago's Shedd Aquarium to open new learning center, launch new education programs
Read more »
Apple Loop: iPhone 16 Design Leaks, New M4 MacBook Pro, Apple’s Open-Source AII am known for my strong views on mobile technology, online media, and the effect this has on the public conscious and existing businesses.
Read more »
Three new French bakeries open in Upper East Side 'breathing new life' into neighborhoodThe Upper East Side recently said, “bonjour,” to three French bakeries in roughly the last year.
Read more »
Apple Loop: iPhone 16 Design Leaks, New M4 MacBook Pro, Apple’s Open-Source AII am known for my strong views on mobile technology, online media, and the effect this has on the public conscious and existing businesses.
Read more »
Apple Loop: iPhone 16 Design Leaks, New M4 MacBook Pro, Apple’s Open-Source AII am known for my strong views on mobile technology, online media, and the effect this has on the public conscious and existing businesses.
Read more »