A red team exercise identified critical vulnerabilities in CocoaPods, a popular dependency manager for iOS and macOS projects, which could allow attackers to compromise the CocoaPods server and inject malicious code into packages.
Since CocoaPods verifies package integrity and authenticity, a compromised server could distribute tainted packages to a large number of mobile applications, which highlights the risk of software supply chain attacks where open source dependencies become attack vectors.
Researchers identified critical vulnerabilities in CocoaPods, a dependency manager for Apple applications, where attackers could exploit these vulnerabilities to claim ownership of abandoned packages, inject malicious code, or compromise the CocoaPods server itself.
Supply chain attacks, in which malicious actors manipulate legitimate packages in order to spread malware or gain unauthorized access to devices, could result from this behavior.
The wide use of CocoaPods and potential for downstream dependencies mean millions of applications and devices could have been exposed.
CocoaPods, a popular dependency manager for iOS development, had vulnerabilities that could allow attackers to inject malicious code into apps, which could impact millions of apps and expose user data due to dependencies used by major companies.
Developers should review dependencies, validate checksums, scan for malicious code, update software, avoid unmaintained packages, and if users used CocoaPods before October 2023, take extra caution to remediate these vulnerabilities.
Technical details:
CocoaPods migrated to a new system in 2014, where Podspec authors claim ownership of their pods. However, many Podspec authors did not claim ownership, leaving their pods orphaned.
A vulnerability in the claim process allowed anyone to claim these orphaned pods by sending a simple request to the server, which could have allowed attackers to inject malicious code into these pods, potentially impacting millions of iOS and macOS apps that depend on them.
A vulnerability (CVE-2024-38366) in the CocoaPods ‘Trunk’ server’s email registration process allowed attackers to execute arbitrary commands through a flaw in the rfc-822 gem.
The server used the gem’s host_mx method to validate MX records during registration, but this method didn’t properly validate user-provided data.
By injecting a specially crafted email address with a pipe (|) and a bash command into the MX record, attackers could trick the server into executing the command, which could have allowed attackers to compromise the server or steal user data.
According to EVA Information Security, attackers found a vulnerability in the CocoaPods session creation process that allowed them to spoof the session validation link.
Attackers could get a zero-click account takeover by using email security products that look for phishing attempts to trick the system into sending the session validation token automatically, which could change pod specifications and cause problems for the whole CocoaPods ecosystem.