A series of vulnerabilities recently discovered in a widely used open source utility could cause major problems for much of the iOS and macOS ecosystem. The bugs in question could impact thousands of widely used apps, including popular programs like TikTok, Snapchat, LinkedIn, Netflix, Microsoft Teams, Facebook Messenger, and more, according to associated security researchWhile the open source components themselves have been patched, DevOps teams for impacted applications are certainly working to ensure their systems are properly updated to protect users from potential exploitation.
The vulnerabilities were discovered in The cocopodsa widely used dependency manager for software projects coded in the Swift and Objective-C programming languages. Dependency managers are essential tools in the software development process, enabling the validation and cryptographic signing of software packages. Corruption of such a tool obviously has big (and bad) implications for large parts of the web.
Cocoapods insects have been discovered Researchers at EVA Information Security, a cybersecurity and penetration testing firm, discovered that these bugs were the result of a flawed Cocoapods server migration that took place in 2014, which orphaned thousands of software packages. Because of the system’s security flaws, these packages could have easily been hijacked by a malicious actor and (hypothetically) used to commit supply chain attacks that could introduce malicious code updates to enterprise software projects that depend on them. The researchers break it down as follows:
A 2014 migration process left thousands of orphaned packages (whose original owner is unknown), many of which are still widely used in other libraries. Using a public API and an email address available in the CocoaPods source code, an attacker could claim ownership of one of these packages, which would then allow them to replace the original source code with their own malicious code… The vulnerabilities we discovered could be used to control the dependency manager itself and any published packages. Downstream dependencies could mean that thousands of applications and millions of devices have been exposed over the past few years.
All three bugs have since been fixed, but their severity and the fact that they remained exposed for nine years is surely keeping many development teams up at night. The reason Apple is at the heart of this mess is that many iOS and macOS apps are coded using both Fast And Objective c The bugs are particularly sensitive to the issues at stake. The researchers write that the bugs could impact “thousands” or “millions” of apps, and that “an attack on the mobile app ecosystem could infect nearly every Apple device, leaving thousands of organizations vulnerable to catastrophic financial and reputational damage.”
The researchers say they have not yet seen any evidence that any apps have actually been compromised. However, if any were, it could obviously cause serious problems for users. The researchers note that because many apps can “access a user’s most sensitive information: credit card information, medical records, private documents,” a cybercriminal could inject code into the apps via the compromised modules, allowing them “to access this information for almost any malicious purpose imaginable: ransomware, fraud, blackmail, industrial espionage.”
The researchers urged enterprise developers to review their products and “verify the integrity of open source dependencies used in their application code,” ensuring that their systems and customers are not exposed.
THE security vulnerabilities that may occur in open source software are well known. The commercial software industry relies on free software to create its commercial products, but little time is spent on consolidating and securing the free software ecosystem on which the entire Internet is based. The end results are, predictably, not good.
Gizmodo has reached out to Apple for comment and will update this article if it responds.
News Source : gizmodo.com
Gn tech
