According to a report from ArsTechnica, about three million iPhones and Mac apps are at risk from a security breach, citing research from EVA Information Security.
As a result, this exploit could allow attackers to sneak into the apps, potentially causing serious problems. The vulnerability was discovered in CocoaPods, a tool many developers use when creating apps for Apple devices.
According to what EVA Information Security disclosed, this security breach could let attackers gain access to iPhone or Mac apps and see sensitive information, including credit card details, medical records, and other confidential information. They could later use this data for ransomware, fraud, blackmail, or corporate espionage.
“In the process, it could expose companies to major legal liabilities and reputational risk,” said researchers from EVA Information Security.
The vulnerabilities stemmed from the email verification process used to verify developers of specific CocoaPods. Attackers could change the web address in a verification link to redirect to their malicious server. However, the good news is that CocoaPods has fixed this issue now.
Another issue allowed attackers to take control of abandoned pods that developers had stopped updating but were still used by apps. The interface that allowed developers to reclaim these pods remained active for nearly 10 years after it was first set up.
Researchers discovered that anyone who knew about this interface could use it to gain control over a pod without needing to prove they owned it. Furthermore, there was a third issue in which attackers could run their code on the trunk server.
If the security firm had not discovered and reported these bugs, there might have been worse consequences. However, the only good news is that CocoaPods has now addressed these vulnerabilities.