1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Millions of iOS apps could have been hit by cyberattack due to th

    From TechnologyDaily@1337:1/100 to All on Tue Jul 2 19:15:04 2024
    Millions of iOS apps could have been hit by cyberattack due to this worrying flaw

    Date:
    Tue, 02 Jul 2024 19:08:00 +0000

    Description:
    CocoaPods was vulnerable in a way that allowed attackers to mount supply
    chain attacks.

    FULL STORY ======================================================================

    A key tool used primarily in iOS and macOS app development was vulnerable in
    a way that opened up millions of Mac apps to supply chain attacks, experts have warned.

    Cybersecurity researchers EVA Information Security claim a dependency manager for Swift and Objective-C projects called CocoaPods, carried three vulnerabilities in a trunk server used to manage CocoaPods.

    One of the vulnerabilities resides in the verification email mechanism that the platform uses to authenticate pod developers. To gain access to an account, the developer would enter their email address associated with the pod, and then get a link sent to their email. However, the URL in the link could be altered to redirect the developer to a server under the attackers control. Millions of people at risk

    The second vulnerability allowed threat actors to take over pods abandoned by developers - but still used in apps. The third vulnerability grants the attackers the ability to run code on the trunk server.

    Since roughly 3 million mobile apps are using some 100,000 libraries found on the platform, the attack surface is quite big. To make matters worse, once
    the library is altered, the apps using it would update it automatically, with no interaction from the end user.

    Many applications can access a users most sensitive information: credit card details, medical records, private materials, and more, the researchers said
    in their writeup. Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable ransomware , fraud, blackmail, corporate espionage In the process, it could expose companies to major legal liabilities and reputational risk.

    The vulnerabilities were disclosed, and fixed, in October 2023 - and at the time, there was no evidence of in-the-wild abuse. Today, app developers and users are not required to do anything to secure their premises. More from TechRadar Pro Software supply chains are becoming a worrying weak link for firms of all sizes Here's a list of the best firewalls today These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/millions-of-ios-apps-could-have-been-hi t-by-cyberattack-due-to-this-worrying-flaw


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)