An E.V.A. Information Security researcher used a spoofed session validation token to take over a CocoaPods account. Image: E.V.A. Information Security The vulnerabilities have since been patched, but had quietly persisted since the CocoaPods migration in 2014.