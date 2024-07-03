Three CocoaPods vulnerabilities impacted millions of macOS and iOS applications. These vulnerabilities could have allowed the takeover of accounts, the execution of shell commands, and the takeover of packages. CocoaPods contains over 100,000 libraries and has over three million application users. After migrating to a different server in 2014, thousands of packages were left orphaned as their previous owners were unknown. 1,866 packages are still orphaned, and as a result are automatically associated with a default owner. This default owner uses the same email address, allowing any actor to claim the pods and potentially replace them with malicious code. The other two vulnerabilities are related to the verification process. They allow an attacker to manipulate packages being downloaded or hijack a pod owner’s session and take over their account. While CocoaPods addressed these flaws in the fall of 2023, EVA Information Security is just now sharing details on the vulnerabilities.

