JAKARTA - A new report reveals that about 3 million applications to iOS and macOS were exposed to potentially threatening supply chain attacks. This vulnerability range has been going on for nearly 10 years and was recently discovered by security researchers.

The vulnerability, which was successfully repaired in October last year, lies in a "trunk" server used to manage CocoaPods, a repository for Swift's open source and Objective-C projects that depend on it.

When developers make changes to one of their "pods" the term CocoaPods for individual 'dependent app code packets' usually incorporates it automatically through app updates, without interactions required by end users.

There are three main vulnerabilities found by researchers from EVA Information Security. The first, CVE-2024-38367, allows attackers to insert malicious codes through an unsafe verification email mechanism. The second, CVE-2024-38368, allows attackers to take over the pods left by their developers. While the third, CVE-2024-38366, allows attackers to run code on the retrunk server, providing full access to the server.

The researchers found that this vulnerability could be exploited to gain access to sensitive user information such as credit card details, medical records, and other personal material. They underlined that such attacks could be used for malicious purposes such as ransomware, fraud, or corporate espionage, which could potentially pose legal risks and reputation for the company.

Although this vulnerability has been fixed, this discovery shows how important security management is in software development, especially when it relies on third-party percentages such as CocoaPods. IOS and macOS app developers are advised to update podfile files regularly, validate CRCs against the dependence from CocoaPods, as well as run a thorough safety review of the third-party code used.

While there is no direct evidence that this vulnerability is being exploited in the wild, it is important for app developers to remain vigilant and implement suggested precautionary measures to protect end users from potential security risks that may arise.


The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)