back to article 'Almost every Apple device' vulnerable to CocoaPods supply chain attack

CocoaPods, an open-source dependency manager used in over three million applications coded in Swift and Objective-C, left thousands of packages exposed and ready for takeover for nearly a decade – thereby creating opportunities for supply chain attacks on iOS and macOS apps, according to security researchers. Israeli firm EVA …

  1. Roland6 Silver badge

    EVA negligent?

    “ To claim a Pod, all an attacker needed to do was transmit a particular CURL request, and voila – they would have free rein to modify a Pod and insert malicious code.”

    EVA could have proved the GitHub orphaned pod reclaim process was flawed and done the community a favour, by using CURL to claim all orphaned CocoaPods. They might then have used this to achieve better funding of security research by the majors… Yes, I know it’s borderline blackmail, but it is clear security researchers such as EVA are an important part of the modern IT ecosystem and even if everything were to be written in Rust would still be performing a useful task. Hence we really need to start giving them more than breadcrumbs.

    1. Blazde Silver badge

      Re: EVA negligent?

      authors asked to reclaim their work... with no need to provide any verification of ownership.

      I know it's open source and all but doesn't this sound.. sort of illegal? Or like it should be illegal at least?

      EVA could have proved the GitHub orphaned pod reclaim process was flawed and done the community a favour, by using CURL to claim all orphaned CocoaPods.

      I don't know what they'd achieve by that. They're unclaimed because nobody else wants responsibility for them, and when some do turn out to be pushing malware into useful software the blame would go toward EVA.

      1. Doctor Syntax Silver badge

        Re: EVA negligent?

        Claim them, lock them, throw away the key. The individual projects could still be forked to release them. It would be a more widely visible process than quietly using curl to take them over and the forks would therefore very likely get scrutinised before they were used in place of the originals. Perhaps this is what ought to have been done when the original migration took place.

        1. Roland6 Silver badge

          Re: EVA negligent?

          It would also contribute to the more important objective of securing the open source devops/supply chain, which is the systemic issue here.

          ” Securing open source software: Whose job is it, anyway?”

          ” Malicious xz backdoor reveals fragility of open source”

  2. Anonymous Coward
    Anonymous Coward

    I wonder if Apple owners are aware of this

    Seems a mite more important to them than having to use an "android charger"

  3. Irongut Silver badge

    But Apple products are more secure by design, right?

    LOL

    1. Bill Neal

      Objective C

      Apple already prevented any malware security issues long ago by forcing people to code in Objective C. Remember? Their apps are the most secure. /s

    2. MSArm

      You are sneering at Apple, and yet there's a Linux snafu published...

      https://www.theregister.com/2024/07/01/regresshion_openssh/?td=rt-3a

      1. cyberdemon Silver badge
        Gimp

        > You are sneering at Apple, and yet there's a Linux snafu published...

        Hardly the same level of borkage.. RTFA on the regresshion bug you linked - it's inherently rate-limited with an incredibly low chance of success - so no "proof of concept" beyond a denial of service, because it would take forever to successfully run remote code. Very few are affected anyway, since it doesn't affect older distros, and newer ones had already patched by the time the article went out.

        > Despite the regreSSHion bug, Qualys had nothing but positive things to say about the OpenSSH project, saying that the discovery is "one slip-up in an otherwise near-flawless implementation."

        > "Its defense-in-depth design and code are a model and an inspiration, and we thank OpenSSH's developers for their exemplary work," it added.

        Whereas this CocoaPods thing seems to be a very, very severe security flaw which had apparently gone unnoticed by Crapple for years.

        So why, in two separate posts, are you saying "but but.. Linux has a security flaw too!!"

        Desperate to defend your cult membership?

        Not to mention of course.. OpenSSH isn't even Linux! It's just OpenSSH and it runs on lots of platforms. It's no doubt running right now on your beloved cackbook.

        1. Anonymous Coward
          FAIL

          Re: > You are sneering at Apple, and yet there's a Linux snafu published...

          > OpenSSH isn't even Linux!

          And CocoaPods isn't a service provided or developed by Apple!

    3. This post has been deleted by its author

    4. Anonymous Coward
      FAIL

      Fortunately CocoaPods isn't an Apple product

  4. Dan 55 Silver badge

    This must be a new business model

    1. Take other people's work.

    2. Add value somehow by making yourself the single point of failure.

    3. Fail.

    See also: Recall.

  5. Ken Moorhouse Silver badge

    CocoaPods

    The baddies nearly had everyone's breakfast.

  6. MSArm

    Hooray for Linux https://www.theregister.com/2024/07/01/regresshion_openssh/?td=rt-3a

    1. Anonymous Coward
      Anonymous Coward

      This has to do with linux how?

      Let's face it, there are a lot of vulnerabilities out there, and some manufacture new ones on a daily basis by sacking their testers and foisting their barely functional betas on their customers to test (no, you don't win prices for guess who that is). That doesn't make one platform good or bad, it depends on how much risk you're willing to take and how much data loss you're comfortable with agreeing to using a platform.

      For our use, the combination of Linux/FreeBSD back ends and Apple endpoints worked best. We already limit what can be installed besides obvious oh-hell-no's such as X and any application made by Meta, but yes, we will be monitoring as before. We have to, we also have a few stations using that other OS and we had to stick that on a separate VLAN so it couldn't grab the corporate data it so desperately wants to get its hands on.

      And no, not into cloudy stuff of any kind either - we built our own. Our clients would leave us in droves if we didn't.

      1. Chappy

        When I saw your comment about X, my first thought was "Oh, what's wrong with X windows?", then a couple of seconds later my brain said "Oh, wrong decade, the writer probably means the artiste formerly known as Twitter".

        1. Anonymous Coward
          Anonymous Coward

          yes, it's an annoying bit of cognitive dissonance. On the plus side, it's an appropriate name for it, tt's by default crossed out :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like