• AutoTL;DRB
    link
    fedilink
    English
    35 months ago

    This is the best summary I could come up with:


    Hackers could have added malicious code compromising the security of millions or billions of people who installed them, researchers said Monday.

    The vulnerabilities, which were fixed last October, resided in a “trunk” server used to manage CocoaPods, a repository for open source Swift and Objective-C projects that roughly 3 million macOS and iOS apps depend on.

    “Injecting code into these applications could enable attackers to access this information for almost any malicious purpose imaginable—ransomware, fraud, blackmail, corporate espionage… In the process, it could expose companies to major legal liabilities and reputational risk.”

    The three vulnerabilities EVA discovered stem from an insecure verification email mechanism used to authenticate developers of individual pods.

    This vulnerability, tracked as CVE-2024-38367, resided in the session_controller class of the trunk server source code, which handles the session validation URL.

    The trunk server relies on RFC822 formalized in 1982 to verify the uniqueness of registered developer email addresses and check if they follow the correct format.


    The original article contains 498 words, the summary contains 159 words. Saved 68%. I’m a bot and I’m open source!