Deutsch English Français Italiano |
<v6brna$16iit$1@news.samoylyk.net> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!2.eu.feeder.erje.net!feeder.erje.net!news2.arglkargh.de!news.karotte.org!news.szaf.org!news.samoylyk.net!.POSTED.public-nat-14.vpngate.v4.open.ad.jp!not-for-mail From: Wolf Greenblatt <wolf@greenblatt.net> Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.apps Subject: Orphaned CodoPods are found in Apple software Date: Sat, 6 Jul 2024 12:34:50 -0400 Organization: Private News Server Message-ID: <v6brna$16iit$1@news.samoylyk.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Injection-Date: Sat, 6 Jul 2024 16:34:51 -0000 (UTC) Injection-Info: news.samoylyk.net; posting-host="public-nat-14.vpngate.v4.open.ad.jp:219.100.37.246"; logging-data="1264221"; mail-complaints-to="abuse@samoylyk.net" Bytes: 1871 Lines: 19 Orphaned Pods are used as dependencies of many other packages available on CocoaPods. For example, we found mentions of orphaned Pods in the documentation or terms of service documents of applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more. Overall we found 685 Pods that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases. All of these were, at some period or another, vulnerable to the supply chain attack described below. By taking ownership of a part of the iOS/macOS app supply chain, and based on the documented dependencies we mentioned above, an attacker would have free reign to access millions of mobile apps and the hundreds of millions of people that use them. Many of these unclaimed Pods are still in wide use. https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods