Critical CocoaPods Flaws Fixed, Previously Left Apple Devices Vulnerable

Security experts are raising the alarm after exploring several threats across open source software that may have been targeted to try and hack thousands of Apple devices.

The threat was said to entail CocoaPods which is used by programmers to combine software libraries across Apple’s apps. Right now, the feature is found to include up to three major vulnerabilities entailing a flaw that goes back 10 years. It would be exploited to privately introduce malware into platforms that place heavy reliance on this endeavor.

The threat is major and very alarming since the software was said to be utilized by more than 3 million platforms. Hence, experts claim that such attacks across the mobile ecosystem could give rise to nearly all devices from Apple getting impacted.

And in the end, thousands of firms could be left fighting in a vulnerable position, including damaging reputation and financial losses. This was generated as a warning by top security experts based in Israel who hailed from EVA Info Security.

Of the three flaws highlighted so far by researchers, the topmost one to worry about was the CVE-2024-38366 which was designed by hackers to take complete control of software called Pods.

This would allow them to get access without going through any form of verification as confirmed by the security company. So at this stage of the game, it could further manipulate security codes or add malware to new Pods.

This chain of events would carry on and go about infecting a lot of other downstream dependencies as proclaimed in the study.

The good news is that the flaws were fixed after the same security company made reports about the threats facing CocoaPods. More details regarding the solution revolved around how every key session got wiped out so that unauthorized individuals couldn’t make any changes to the codes.

We still cannot be certain that the hackers ended up exploiting flaws to discreetly make amendments to apps affected by this ordeal.

The latest report on this matter just goes to show that open source software can carry a lot of vulnerability and risk affecting entire software ecosystems, similar to the manner involving a flaw in 2021 with the infamous Apache Log4j was unraveled.

Experts have also spoken about the dangers that open-source software brings forward when they are handled by volunteer programmers. This just makes them so much more vulnerable to the likes of greater hacking in the future.

In reply to just that, we’ve seen Google join hands with the White House and push for a massive effort to provide safer software projects that are open source in design. But with incidents like these on the rise, it’s clear how the tech world needs to enhance oversight for tools that are open-sourced.

The security company warned that adopting open-source software cannot be avoided but knowing the risks involved in terms of attacks on software supply chains must also be weighed and the necessary precautions must be taken.

Read next: More Setback For Meta As Brazil Suspends Its Latest Privacy Policy With Immediate Effect