Apple CocoaPods Flaws Affect Millions of Apps – Spiceworks

• Security flaws in the CocoaPods dependency manager have been discovered, which could be exploited to launch supply chain attacks against Apple apps.
• While CocoaPods packages have been exposed for years, the bugs were patched in October 2023.

Recently, revelations about critical flaws in CocoaPods, a prominent dependency manager for Objective-C and Swift, have highlighted significant risks for applications on macOS and iOS devices. The vulnerabilities have exposed millions of applications to supply chain attacks, potentially hurting several Apple users.

The problem emerged when CocoaPods migrated to the Trunk server, leaving thousands of packages unclaimed. Attackers used public APIs to claim pods and an email address in the CocoaPods source code. The risk is significant as CocoaPods is used widely to manage third-party libraries in the development of macOS and iOS. Since it automates integration and resolution, it is a popular time-saving tool. However, these unclaimed packages were left exposed for nearly a decade.

The Trunk server is a key part of the CocoaPods infrastructure. It manages the distribution and hosting of files for CocoaPods libraries. It is essential to the library version control, user authentication, and publishing processes. However, associated security issues can hurt the integrity of libraries, allowing threat actors to inject harmful code into popular data packages.

See More: LockBit Claims Stealing 33TB Banking Information From the US Federal Reserve, Claims Proven False

Critical vulnerabilities discovered include CVE-2024-38366 (CVSS 10.0), CVE-2024-38368 (CVSS 9.3), and CVE-2024-38367 (CVSS 8.2). The first bug affects the email verification workflow, enabling the execution of arbitrary code on the Trunk server. Consequently, legitimate packages can be altered or replaced, posing a significant risk to users.

The second flaw exploits the Claim Your Pods feature, which allows attackers to control unclaimed packages. This, in turn, enables source code manipulation, introducing unapproved changes to popular applications.

The last flaw also involves email verification, where a potentially benign link redirects attackers to malicious domains, leading to the risk of account takeovers or token theft.

Since many popular apps rely on CocoaPods, such vulnerabilities threaten the overall iOS and macOS ecosystem. Attackers exploiting these vulnerabilities can inject malicious code into legitimate apps, distribute malware through trusted channels, and compromise user data.

While CocoaPods has patched each of these vulnerabilities, details about how these flaws were exploited have yet to be clarified. Developers have been urged to review security practices and update dependencies to mitigate future risks.

This is not the first time CocoaPods has faced scrutiny. In early 2023, security researchers discovered a flaw that allowed attackers to hijack subdomains. The recent discoveries emphasize the importance of security in dependency management and software development, with the need for a proactive approach toward potential vulnerabilities that may influence user data and applications.

LATEST NEWS STORIES