Deutsch   English   Français   Italiano  
<v6brna$16iit$1@news.samoylyk.net>

View for Bookmarking (what is this?)
Look up another Usenet article

Path: ...!2.eu.feeder.erje.net!feeder.erje.net!news2.arglkargh.de!news.karotte.org!news.szaf.org!news.samoylyk.net!.POSTED.public-nat-14.vpngate.v4.open.ad.jp!not-for-mail
From: Wolf Greenblatt <wolf@greenblatt.net>
Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.apps
Subject: Orphaned CodoPods are found in Apple software
Date: Sat, 6 Jul 2024 12:34:50 -0400
Organization: Private News Server
Message-ID: <v6brna$16iit$1@news.samoylyk.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 6 Jul 2024 16:34:51 -0000 (UTC)
Injection-Info: news.samoylyk.net; posting-host="public-nat-14.vpngate.v4.open.ad.jp:219.100.37.246";
	logging-data="1264221"; mail-complaints-to="abuse@samoylyk.net"
Bytes: 1871
Lines: 19

Orphaned Pods are used as dependencies of many other packages available on
CocoaPods. For example, we found mentions of orphaned Pods in the
documentation or terms of service documents of applications provided by
Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft
(Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta,
Yahoo, Zynga, and many more. 

Overall we found 685 Pods that had an explicit dependency using an orphaned
Pod; doubtless there are hundreds or thousands more in proprietary
codebases. All of these were, at some period or another, vulnerable to the
supply chain attack described below. 

By taking ownership of a part of the iOS/macOS app supply chain, and based
on the documented dependencies we mentioned above, an attacker would have
free reign to access millions of mobile apps and the hundreds of millions
of people that use them. 

Many of these unclaimed Pods are still in wide use. 

https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods