Millions of iPhone apps have been vulnerable to hackers for 10 years

Millions of iPhone and Mac apps were vulnerable to hackers for 10 years due to critical flaws. The exploits were discovered in the open-source CocoaPods repository, used by many popular apps for Apple devices, according to a report by E.V.A Information Security.

The first vulnerability, designated CVE-2024-38368, has a CVSS score of 9.3. It allows attackers to gain control over software packages through the Claim Your Pods process. To do this, the attacker must remove all previous developers from the project. The issue dates back to 2014, when the migration to the Trunk server left thousands of packages without owners, enabling malicious users to use a public API and an email address to take control of them.

The second vulnerability, CVE-2024-38366, has received the maximum score of 10 and is related to an insecure email verification mechanism, allowing code execution on the server and replacement of target packages.

The third vulnerability, CVE-2024-38367, with a score of 8.2, involves manipulating the email verification process, allowing attackers to redirect requests to malicious domains to steal session tokens. This can lead to attacks even without any user action.

The CocoaPods team responded to the threats by releasing patches to address the vulnerabilities in October 2023 and resetting all user sessions to prevent potential attacks, but the situation only came to light in early July.