Daily Archives: July 5, 2024

CocoaPods Vulnerabilities from 2014 Affects almost all Apple devices, Facebook, TikTok apps and more

Posted on by

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting “almost every Apple device.”

E.V.A Information Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.”

The widespread issue is further evidence of the vulnerability of the software supply chain. The researchers wrote that they often find that 70-80% of client code they review “is composed of open-source libraries, packages, or frameworks.”

The CocoaPods Vulnerabilities

The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new ‘Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed.

The other two CocoaPods vulnerabilities (CVE-2024-38368 and CVE-2024-38367) also date from the migration.

For CVE-2024-38368, the researchers said that in analyzing the source code of the ‘Trunk’ server, they noticed that all orphan pods were associated with a default CocoaPods owner, and the email created for this default owner was unclaimed-pods@cocoapods.org. They also noticed that the public API endpoint to claim a pod was still available, and the API “allowed anyone to claim orphaned pods without any ownership verification process.”

“By making a straightforward curl request to the publicly available API, and supplying the unclaimed targeted pod name, the door was wide open for a potential attacker to claim any or all of these orphaned Pods as their own,” wrote Reef Spektor and Eran Vaknin.

Once they took over a Pod, an attacker would be able to manipulate the source code or insert malicious content into the Pod, which “would then go on to infect many downstream dependencies, and potentially find its way into a large percentage of Apple devices currently in use.”

[…]

“The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package.”

Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years, and close attention should be paid to software that relies on orphaned CocoaPod packages that do not have an owner assigned to them.

Developers and organizations should review dependency lists and package managers used in their applications, validate checksums of third-party libraries, perform periodic scans to detect malicious code or suspicious changes, keep software updated, and limit use of orphaned or unmaintained packages.

“Dependency managers are an often-overlooked aspect of software supply chain security,” the researchers wrote. “Security leaders should explore ways to increase governance and oversight over the use these tools.”

Source: CocoaPods Vulnerabilities Could Affect Apple, Facebook, TikTok

Universal income experiment in Denver leads to predictable results – less tax $ spent, less homelessness

Posted on by

An experiment to pay people who were homeless in Denver with no limits on how they could spend the money led to twice as many people in stable housing, according to researchers who released their one-year report Tuesday.

More than 800 people were selected to participate in the Denver Basic Income Project while they were living on the streets, in shelters, on friends’ couches or in vehicles. They were separated into three groups. Group A received $1,000 per month for a year. Group B received $6,500 the first month and $500 for the next 11 months. And group C, the control group, received $50 per month.

About 45% of participants in all three groups were living in a house or apartment that they rented or owned by the study’s 10-month check-in point, according to the research. The number of nights spent in shelters among participants in the first and second groups decreased by half. And participants in those two groups reported an increase in full-time work, while the control group reported decreased full-time employment.

The project also saved tax dollars, according to the report. Researchers tallied an estimated $589,214 in savings on public services, including ambulance rides, visits to hospital emergency departments, jail stays and shelter nights.

[…]

Mark Donovan, founder and executive director of the Denver Basic Income Project, said his goal is to make the project permanent.

“We believe the first year of the program established a sense of stability for participants, and the second year and beyond is when individuals can experience an even more profound transformation,” he said in an emailed news release. “We aim to persuade policymakers to establish permanent funding streams for programs like ours.”

Of the $9.2 million spent on the program in 2023, $7.1 million went to participants. The rest went to delivery and fund-raising costs.

The average age of participants was 44, with the youngest 18 and the oldest 86. About 34% participants were white, 27% were Black, and 7% were Indigenous or Native American.

Source: What happened after homeless people in Denver got paid with no strings attached

Proton Docs is a privacy-focused answer to Google Docs and Microsoft Word

Posted on by

Proton Docs looks a lot like Google Docs: white pages, formatting toolbar at the top, live indicators showing who’s in the doc with their name attached to a cursor, the whole deal. That’s not especially surprising, for a couple of reasons. First, Google Docs is hugely popular, and there are only so many ways to style a document editor anyway. Second, Proton Docs exists in large part to be all the things that are great about Google Docs — just without Google in the mix.

Docs is launching today inside of Proton Drive, as the latest app in Proton’s privacy-focused suite of work tools. The company that started as an email client now also includes a calendar, a file storage system, a password manager, and more. Adding Docs to the ecosystem makes sense for Proton as it tries to compete with Microsoft Office and Google Workspace and seemed to be clearly coming soon after Proton acquired Standard Notes in April. Standard Notes isn’t going away, though, Proton PR manager Will Moore tells me — it’s just that Docs is borrowing some features.

The first version of Proton Docs seems to have most of what you’d expect in a document editor: rich text options, real-time collaborative editing, and multimedia support. (If Proton can handle image embeds better than Google, it might have a hit on its hands just for that.) It’s web-only and desktop-optimized for now, though Moore tells me it’ll eventually come to other platforms. “Everything that Google’s got is on our roadmap,” he says.

A screenshot of multiple editors in Proton Docs.
Imagine Google Docs… there, that’s it. You know what Proton Docs looks like.Image: Proton

Since this is a Proton product, security is everything: the company says every document, keystroke, and even cursor movement is end-to-end encrypted in real time. Proton has long promised to never sell or otherwise use your user data

[…]

Source: Proton Docs is a privacy-focused answer to Google Docs and Microsoft Word – The Verge

Spain introduces porn passport – really wants to know what you are watching and especially how often erm… no… *cough* to stop kids from watching smut

Posted on by

The Spanish government has a plan to prevent kids from watching porn online: Meet the porn passport.

Officially (and drily) called the Digital Wallet Beta (Cartera Digital Beta), the app Madrid unveiled on Monday would allow internet platforms to check whether a prospective smut-watcher is over 18. Porn-viewers will be asked to use the app to verify their age. Once verified, they’ll receive 30 generated “porn credits” with a one-month validity granting them access to adult content. Enthusiasts will be able to request extra credits.

While the tool has been criticized for its complexity, the government says the credit-based model is more privacy-friendly, ensuring that users’ online activities are not easily traceable.

The system will be available by the end of the summer. It will be voluntary, as online platforms can rely on other age-verification methods to screen out inappropriate viewers. It heralds an EU law going into force in October 2027, which will require websites to stop minors from accessing porn.

Eventually, Madrid’s porn passport is likely to be replaced by the EU’s very own digital identity system (eIDAS2) — a so-called wallet app allowing people to access a smorgasbord of public and private services across the whole bloc.

“We are acting in advance and we are asking platforms to do so too, as what is at stake requires it,” José Luis Escrivá, Spain’s digital secretary, told Spanish newspaper El País.

Source: Spain introduces porn passport to stop kids from watching smut – POLITICO

Every time they mention kids, have a really good look at how much more they are spying on you and controlling your actions.

Eindhoven 3D printing service Shapeways files for bankruptcy

Posted on by

The 3D printing service Shapeways, originally from Eindhoven, is bankrupt, both in the Netherlands and the US.

Shapeways started in 2007 as a spin-off from Philips. The company let users design and upload their own 3D files, after which Shapeways could print the objects.

The company has been listed on the American stock exchange since 2021. At the time, sales were expected to grow to $250 million by 2024, but that was not achieved. In 2023, the company posted a net loss of $43.9 million, compared to a loss of $20.2 million in 2022.

The company already reported to the US Security and Exchange Commission in May that it did not have sufficient liquid assets .

In the Netherlands, the company was declared bankrupt on July 3 by the court in East Brabant.

Source: The curtain falls for Eindhoven 3D printing service Shapeways – Emerce

Apple bows to Kremlin pressure to remove leading VPNs from Russian AppStore – in other news, Apple still active in Russia

Posted on by

Apple has removed several apps offering virtual private network (VPN) services from the Russian AppStore, following a request from Roskomnadzor, Russia’s media regulator, independent news outlet Mediazona reported on Thursday.

The VPN services removed by Apple include leading services such as ProtonVPN, Red Shield VPN, NordVPN and Le VPN. Those living in Russia will no longer be able to download the services, while users who already have them on their phones can continue using them, but will be unable to update them.

Red Shield VPN posted a notice from Apple on X, which said that their app would be removed following a request from Roskomnadzor, “because it includes content that is illegal in Russia”.

Since the start of the Russian invasion of Ukraine in February 2022, the Kremlin has introduced strict online censorship and has blocked numerous independent media outlets and popular social media apps such as Facebook, Instagram and X.

As a result, anyone wanting to access blocked sites from Russia is forced to use a VPN, a protective tunnel that encrypts internet traffic and changes a user’s IP address.

[…]

Source: Apple bows to Kremlin pressure to remove leading VPNs from Russian AppStore — Novaya Gazeta Europe