Application security, Supply chain, Endpoint/Device Security

Supply chain attack against iOS, macOS apps likely with severe CocoaPods bugs

Share
Open finder app in macOs

Numerous widely used iOS and macOS apps could be compromised in supply chain attacks with a trio of vulnerabilities in the CocoaPods dependency manager, all of which have already been remediated in October, The Hacker News reports.

Most severe of the identified flaws is the maximum severity insecure email verification workflow issue, tracked as CVE-2024-38366, which could be leveraged to facilitate arbitrary code execution on the Trunk server and eventually allow package manipulation and replacement, according to a report from E.V.A. Information Security.

Another critical vulnerability, tracked as CVE-2024-38368, could be exploited to allow package takeovers, source code tampering, and malicious code injections, while a separate high-severity email address verification bug, tracked as CVE-2024-38367, could be used to lure targets into clicking malicious verification links and allow developer session token access.

"We have found that almost every pod owner is registered with their organizational email on the Trunk server, which makes them vulnerable to our zero-click takeover vulnerability," researchers said.

Supply chain attack against iOS, macOS apps likely with severe CocoaPods bugs

Numerous widely used iOS and macOS apps could be compromised in supply chain attacks with a trio of vulnerabilities in the CocoaPods dependency manager, all of which have already been remediated in October, The Hacker News reports.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.