The vulnerabilities in CocoaPods' trunk server were discovered by security researchers at E.V.A Information Security, who reached out to the CocoaPods team with their findings. The researchers identified three separate vulnerabilities that could be exploited to stage software supply chain attacks, putting downstream customers at severe risk2.
The vulnerabilities that affected macOS and iOS apps for a decade were related to an insecure verification email mechanism used to authenticate developers of individual pods in the CocoaPods repository. These vulnerabilities allowed attackers to inject malicious code into apps and gain access to sensitive information, exposing millions of users to potential risks.
Hackers could have exploited these vulnerabilities by injecting malicious code into open source Swift and Objective-C projects on the CocoaPods repository, which is used by approximately 3 million macOS and iOS apps. This could have compromised the security of millions or billions of users who installed the affected apps, potentially allowing attackers to access sensitive information for malicious purposes such as ransomware, fraud, and corporate espionage.