Orphaned Pods are used as dependencies of many other packages available on
CocoaPods. For example, we found mentions of orphaned Pods in the
documentation or terms of service documents of applications provided by
Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft
(Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta,
Yahoo, Zynga, and many more.

Overall we found 685 Pods that had an explicit dependency using an orphaned
Pod; doubtless there are hundreds or thousands more in proprietary
codebases. All of these were, at some period or another, vulnerable to the
supply chain attack described below.

By taking ownership of a part of the iOS/macOS app supply chain, and based
on the documented dependencies we mentioned above, an attacker would have
free reign to access millions of mobile apps and the hundreds of millions
of people that use them.

Many of these unclaimed Pods are still in wide use.

https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods

On 2024-07-06 12:34, Wolf Greenblatt wrote:
> Orphaned Pods are

.... been asleep most of the week, huh?

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On Sat, 6 Jul 2024 12:48:23 -0400, Alan Browne wrote:

> ... been asleep most of the week, huh?

How did you find out about this new hole found in millions of mac/iOs apps?

I was looking up Swift documentation for a project when all the hits by
reverse date shows up to be about this vulnerability for mac/iOS apps.

https://forums.appleinsider.com/discussion/236916/vulnerabilities-found-in-swift-repository-left-millions-of-iphone-apps-exposed
The open-source Swift and Objective-C repository, CocoaPods, had multiple
vulnerabilities that left millions of iOS and macOS apps exposed for a
decade

https://thehackernews.com/2024/07/critical-flaws-in-cocoapods-expose-ios.html
security flaws were uncovered in the CocoaPods dependency manager for Swift

https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods
CocoaPods is an open source dependency manager for Swift

https://www.techrepublic.com/article/apple-applications-cocoapods-supply-chain-attack/
CocoaPods is a dependency manager for Swift and Objective-C projects

The holes are so big they can't be avoided but why did Apple not find it?

Wolf Greenblatt <wolf@greenblatt.net> wrote:
> On Sat, 6 Jul 2024 12:48:23 -0400, Alan Browne wrote:
>
>> ... been asleep most of the week, huh?
>
> How did you find out about this new hole found in millions of mac/iOs apps?
>
> I was looking up Swift documentation for a project when all the hits by
> reverse date shows up to be about this vulnerability for mac/iOS apps.
>
> https://forums.appleinsider.com/discussion/236916/vulnerabilities-found-in-swift-repository-left-millions-of-iphone-apps-exposed
> The open-source Swift and Objective-C repository, CocoaPods, had multiple
> vulnerabilities that left millions of iOS and macOS apps exposed for a
> decade
>
> https://thehackernews.com/2024/07/critical-flaws-in-cocoapods-expose-ios.html
> security flaws were uncovered in the CocoaPods dependency manager for Swift
>
> https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods
> CocoaPods is an open source dependency manager for Swift
>
> https://www.techrepublic.com/article/apple-applications-cocoapods-supply-chain-attack/
> CocoaPods is a dependency manager for Swift and Objective-C projects
>
> The holes are so big they can't be avoided but why did Apple not find it?
>

We’re being told it’s not Apple’s job to find security holes in other
peoples dependencies so it’s not their fault.

On 2024-07-06 16:07, Wolf Greenblatt wrote:
> On Sat, 6 Jul 2024 12:48:23 -0400, Alan Browne wrote:
>
>> ... been asleep most of the week, huh?
>
> How did you find out about this new hole found in millions of mac/iOs apps?

This was on various industry news sites last week.

> The holes are so big they can't be avoided but why did Apple not find it?

Why would Apple find holes in a 3rd party toolchain library?

Esp. if no malicious code was distributed. (AFAIK none was).

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On 2024-07-06, Wolf Greenblatt <wolf@greenblatt.net> wrote:
> On Sat, 6 Jul 2024 12:48:23 -0400, Alan Browne wrote:
>
>> ... been asleep most of the week, huh?
>
> How did you find out about this new hole found in millions of mac/iOs
> apps?

Most of us knew about it before you because it was widely reported on
various Apple news sources.

> I was looking up Swift documentation for a project when all the hits
> by reverse date shows up to be about this vulnerability for mac/iOS
> apps.

No you weren't. You think we don't know who you are? How cute.

> The holes are so big they can't be avoided but why did Apple not find
> it?

It's not Apple's job to police third-party package mangers. You
desperately want to blame Apple for something that is very clearly not
Apple's fault, because: troll.

Your trolls are as weak as your intellect, little Arlen.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-07-06, badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:
>
> We’re being told it’s not Apple’s job to find security holes in other
> peoples dependencies so it’s not their fault.

You are desperately trying to blame Apple, because: troll.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

Jolly Roger <jollyroger@pobox.com> wrote:
> On 2024-07-06, badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:
>>
>> We’re being told it’s not Apple’s job to find security holes in other
>> peoples dependencies so it’s not their fault.
>
> You are desperately trying to blame Apple, because: troll.
>

Didn’t you just say this?

“It's not Apple's job to police third-party package mangers.”

On Sat, 6 Jul 2024 23:17:58 -0000 (UTC), badgolferman wrote:

>>> We're being told it's not Apple's job to find security holes in other
>>> peoples dependencies so it's not their fault.
>>
>> You are desperately trying to blame Apple, because: troll.
>>
>
> Didn't you just say this?
>
> "It's not Apple's job to police third-party package mangers."

Isn't Swift touted to be "safe by design" on Apple own corporate web pages?

https://developer.apple.com/swift/

"Swift is a powerful and intuitive programming language for all Apple
platforms. It's easy to get started using Swift, with a
concise-yet-expressive syntax and modern features you'll love. Swift code
is safe by design and produces software that runs lightning fast."

"Designed for safety"

"Swift eliminates entire classes of unsafe code"

"Swift makes software safer and faster, while also making programming more
fun."

"Another safety feature is that by default Swift objects can never be nil.
This makes code much cleaner and safer"

"Swift syntax ensures you to safely deal with it using the ? syntax to
indicate to the compiler you understand the behavior and will handle it
safely."

"Swift is perfect for use in server apps that need runtime safety"

If researchers can find these holes, what is the reason Apple can't?

On 2024-07-06 16:45, Wolf Greenblatt wrote:
> On Sat, 6 Jul 2024 23:17:58 -0000 (UTC), badgolferman wrote:
>
>>>> We're being told it's not Apple's job to find security holes in other
>>>> peoples dependencies so it's not their fault.
>>>
>>> You are desperately trying to blame Apple, because: troll.
>>>
>>
>> Didn't you just say this?
>>
>> "It's not Apple's job to police third-party package mangers."
>
> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?

CocoaPods isn't part of Swift.

>
> https://developer.apple.com/swift/
>
> "Swift is a powerful and intuitive programming language for all Apple
> platforms. It's easy to get started using Swift, with a
> concise-yet-expressive syntax and modern features you'll love. Swift code
> is safe by design and produces software that runs lightning fast."
>
> "Designed for safety"
>
> "Swift eliminates entire classes of unsafe code"
>
> "Swift makes software safer and faster, while also making programming more
> fun."
>
> "Another safety feature is that by default Swift objects can never be nil.
> This makes code much cleaner and safer"
>
> "Swift syntax ensures you to safely deal with it using the ? syntax to
> indicate to the compiler you understand the behavior and will handle it
> safely."
>
> "Swift is perfect for use in server apps that need runtime safety"
>
> If researchers can find these holes, what is the reason Apple can't?
Read above.

On Sat, 6 Jul 2024 16:49:22 -0700, Alan wrote:

>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>
> CocoaPods isn't part of Swift.

Maybe you didn't read any of the links about CocoPods & Swift in
Message-ID: <v6c85a$17bja$1@news.samoylyk.net>

Even so, given CocoPods is used in over three million mac/iOS apps, why is
it that researchers can find these flaws but Apple can't seem to do it?

Why then does Apple even bother to advertise safety and security if safety
and security is not something Apple cares to test for in apps people use?

On 2024-07-06, badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:
> Jolly Roger <jollyroger@pobox.com> wrote:
>> On 2024-07-06, badgolferman <REMOVETHISbadgolferman@gmail.com> wrote:
>>>
>>> We’re being told it’s not Apple’s job to find security holes in
>>> other peoples dependencies so it’s not their fault.
>>
>> You are desperately trying to blame Apple, because: troll.
>
> Didn’t you just say this?
>
> “It's not Apple's job to police third-party package mangers.”

Did you just try to blame Apple for third party package managers? Yes,
yes you did. Because: Troll.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-07-06, Wolf Greenblatt <wolf@greenblatt.net> wrote:
> On Sat, 6 Jul 2024 23:17:58 -0000 (UTC), badgolferman wrote:
>
>>>> We're being told it's not Apple's job to find security holes in
>>>> other peoples dependencies so it's not their fault.
>>>
>>> You are desperately trying to blame Apple, because: troll.
>>
>> Didn't you just say this?
>>
>> "It's not Apple's job to police third-party package mangers."
>
> Isn't Swift touted to be "safe by design" on Apple own corporate web
> pages?

Dip shit trolls display that they can't distinguish between first-party
and third-party code. More news at 10.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-07-06, Wolf Greenblatt <wolf@greenblatt.net> wrote:
> On Sat, 6 Jul 2024 16:49:22 -0700, Alan wrote:
>
>>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>>
>> CocoaPods isn't part of Swift.
>
> Maybe you didn't read

No "maybe" about it. Your anti-Apple bias means you can't distinguish
between first-party and third-party systems and code.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

Jolly Roger wrote on 6 Jul 2024 21:28:04 GMT :

>> The holes are so big they can't be avoided but why did Apple not find
>> it?
>
> It's not Apple's job to police third-party package mangers. You
> desperately want to blame Apple for something that is very clearly not
> Apple's fault, because: troll.

Jolly Roger wrote on 7 Jul 2024 02:06:58 GMT :

>> The fact is that I'm beginning to think you didn't lie, Chris.
>
> Not a fact. You lose.]

Holy shit! You didn't lie!
*You're just incredibly confident in your complete ignorance!*
<https://i.sstatic.net/NJkCp.png>

I've always said that there are always one of two reasons why you Apple
religious fundamentalist zealots are so confident about being wrong.
<https://i.sstatic.net/wgoc9.jpg>

1. You either brazenly lie, or,
2. You really believe Apple fully supports more than 1 release at a time.
<https://i.sstatic.net/XgbX3.jpg>

Since Chris and you can't answer this simple question, even now...
Q: Does Apple publicly state they fully support only one release at a time?
A: Yes or no.

I'm beginning to realize fundamentalist zealots didn't lie after all.
*You actually _believe_ Apple simultaneously fully supports >1 release!*
<https://i.sstatic.net/QbnWs.png>

In other words, you're all to the left of Mount Stupid on the
Dunning-Kruger scale, which is people who know absolutely nothing but who
feel they know everything - which is all your strange religious zealots.]
<https://i.sstatic.net/wAbpc.jpg>

On 2024-07-07, Andrew <andrew@spam.net> wrote:
> Jolly Roger wrote on 6 Jul 2024 21:28:04 GMT :
>
>>> The holes are so big they can't be avoided but why did Apple not
>>> find it?
>>
>> It's not Apple's job to police third-party package mangers. You
>> desperately want to blame Apple for something that is very clearly
>> not Apple's fault, because: troll.
>
> Jolly Roger wrote on 7 Jul 2024 02:06:58 GMT :
>
>>> The fact is that I'm beginning to think you didn't lie, Chris.
>>
>> Not a fact. You lose.]
>
> Holy shit! You didn't lie!

....yet you and your little troll buddies (namely badgolferman) continue
to lie trying to blame Apple for third-party vulnerabilities.

Here are some FACTS you desperately want us to ignore:

Open source vulnerabilities remain unpatched for decades
<https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn>
---
A new report reveals an enormous number of identified open source
vulnerabilities remain unpatched for 10 years and longer, often because
organisations have no idea what open source code they are using.
..
..
..
With software developers routinely taking code from open source
repositories to embed in their company's products to speed up the
development process, saving time and money, manually tracking
components, their versions and their vulnerabilities is way beyond the
capabilities of most organisations.

The report recommends all organisations invest in an automated solution
for identifying and patching known vulnerabilities. "You can't patch
software if you don't know you are using it," the authors point out.
---

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

On 2024-07-06 16:56, Wolf Greenblatt wrote:
> On Sat, 6 Jul 2024 16:49:22 -0700, Alan wrote:
>
>>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>>
>> CocoaPods isn't part of Swift.
>
> Maybe you didn't read any of the links about CocoPods & Swift in
> Message-ID: <v6c85a$17bja$1@news.samoylyk.net>
>
> Even so, given CocoPods is used in over three million mac/iOS apps, why is
> it that researchers can find these flaws but Apple can't seem to do it?
>
> Why then does Apple even bother to advertise safety and security if safety
> and security is not something Apple cares to test for in apps people use?

CocoaPods is NOT a part of Swift.

Swift is a PROGRAMMING LANGUAGE.

Jolly Roger wrote on 7 Jul 2024 03:21:43 GMT :

> ...yet you and your little troll buddies (namely badgolferman) continue
> to lie trying to blame Apple for third-party vulnerabilities.
> Here are some FACTS you desperately want us to ignore:
>
> Open source vulnerabilities remain unpatched for decades
> <https://www.itweb.co.za/article/open-source-vulnerabilities-remain-unpatched-for-decades/wbrpO7gPwGdMDLZn>
> ---
> A new report reveals an enormous number of identified open source
> vulnerabilities remain unpatched for 10 years and longer, often because
> organisations have no idea what open source code they are using.

Hi Jolly Roger,

The fact is that Apple highly touts that their ecosystem provides safety
and security and yet, you religious zealots are claiming that Apple lied.

Specifically, you zealots are claiming Apple is either incompetent at
testing for mac/iOS app vulnerabilities - or - Apple simply doesn't care.

Either way, the fact is if security researchers found these holes, there's
no good reason for you to claim that Apple isn't capable of finding them.

The fact is, either the Apple ecosystem provides the advertised safety and
security - or - the Apple ecosystem isn't even tested by Apple. Ever.

Given you religious zealots claim Apple is incompetent at testing, then we
can only assume that Apple lied when Apple touted safety and security.

The Apple ecosystem, in a word, is shit, and all you zealots can do is
claim that Apple is incompetent at testing that Apple shit ecosystem.

On 2024-07-06 19:45, Wolf Greenblatt wrote:

>
> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?

You have 0 understanding of 3rd party toolchains and 3rd party code bases.

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On 2024-07-06 19:56, Wolf Greenblatt wrote:
> On Sat, 6 Jul 2024 16:49:22 -0700, Alan wrote:
>
>>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>>
>> CocoaPods isn't part of Swift.
>
> Maybe you didn't read any of the links about CocoPods & Swift in
> Message-ID: <v6c85a$17bja$1@news.samoylyk.net>
>
> Even so, given CocoPods is used in over three million mac/iOS apps, why is
> it that researchers can find these flaws but Apple can't seem to do it?

As explained:
1. 3rd party tool/code base.
2. Did any malicious code get released this way? (to trigger Apple's
malicious code detection).

--
"It would be a measureless disaster if Russian barbarism overlaid
the culture and independence of the ancient States of Europe."
Winston Churchill

On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:

>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>
> You have 0 understanding of 3rd party toolchains and 3rd party code bases.

Probably very true. All I know is researchers found a flaw in millions of
mac/iOS apps and Apple didn't find that same flaw even after a decade.

Shouldn't Apple care that millions of mac/iOS apps are vulnerable?

The reports say that essentially every Apple owner is affected.
So why wouldn't Apple care to do what researchers did, only 10 years ago?

On 2024-07-07 12:06, Wolf Greenblatt wrote:
> On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:
>
>>> Isn't Swift touted to be "safe by design" on Apple own corporate web pages?
>>
>> You have 0 understanding of 3rd party toolchains and 3rd party code bases.
>
> Probably very true. All I know is researchers found a flaw in millions of
> mac/iOS apps and Apple didn't find that same flaw even after a decade.

Actually, no.

They found a flaw in one of the TOOLS developers USED to create millions
of apps.

>
> Shouldn't Apple care that millions of mac/iOS apps are vulnerable?

How, exactly?

>
> The reports say that essentially every Apple owner is affected.
> So why wouldn't Apple care to do what researchers did, only 10 years ago?

How would they do that?

On 2024-07-07, Alan <nuh-uh@nope.com> wrote:
> On 2024-07-07 12:06, Wolf Greenblatt wrote:
>> On Sun, 7 Jul 2024 07:37:29 -0400, Alan Browne wrote:
>>
>>>> Isn't Swift touted to be "safe by design" on Apple own corporate
>>>> web pages?
>>>
>>> You have 0 understanding of 3rd party toolchains and 3rd party code
>>> bases.
>>
>> Probably very true. All I know is researchers found a flaw in
>> millions of mac/iOS apps and Apple didn't find that same flaw even
>> after a decade.
>
> Actually, no.
>
> They found a flaw in one of the TOOLS developers USED to create
> millions of apps.

They also stated there is no direct evidence of any of these
vulnerabilities being exploited in the wild.

Apparently we are supposed to ignore all of that, and the fact that open
source vulnerabilities on other platforms also go unnoticed for decades,
because: Apple BAD! 😉

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

Jolly Roger hat am 07.07.2024 um 15:30 geschrieben:
>> They found a flaw in one of the TOOLS developers USED to create
>> millions of apps.
>
> They also stated there is no direct evidence of any of these
> vulnerabilities being exploited in the wild.

I think you made that up because the news said there are numerous exploits.
Not only was it exploited but it shows the ecosystem is riddled with holes.

On 2024-07-07 13:37, Silvano wrote:
> Jolly Roger hat am 07.07.2024 um 15:30 geschrieben:
>>> They found a flaw in one of the TOOLS developers USED to create
>>> millions of apps.
>>
>> They also stated there is no direct evidence of any of these
>> vulnerabilities being exploited in the wild.
>
> I think you made that up because the news said there are numerous exploits.
> Not only was it exploited but it shows the ecosystem is riddled with holes.

Quote some...