CocoaPods flaws highlight growing supply chain risks

2 months ago 40

Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)

Security researchers at E.V.A Information Security have uncovered several critical vulnerabilities in CocoaPods, a popular dependency manager for Swift and Objective-C projects. These vulnerabilities potentially expose millions of Apple devices to supply chain attacks, highlighting the growing risks associated with open-source software dependencies.

CocoaPods, used in over three million mobile apps, plays a crucial role in the iOS and macOS development ecosystem. The discovered flaws could allow attackers to claim ownership of orphaned packages, execute arbitrary code on the CocoaPods ‘Trunk’ server, and perform zero-click account takeovers.

Vulnerability details:

Unauthorised ownership of orphaned pods (CVE-2024-38368): Attackers could claim ownership of any of the 1,866 orphaned pods, potentially injecting malicious code into widely-used packages.
Remote code execution on ‘Trunk’ server (CVE-2024-38366): A flaw in the email verification process could allow attackers to execute arbitrary code on the server managing package distribution.
Zero-click account takeover (CVE-2024-38367): By exploiting the X-Forwarded-Host header and email security tools, attackers could gain unauthorised access to developer accounts.

The vulnerabilities affect a significant portion of the Swift and Objective-C application ecosystem, potentially impacting thousands to millions of apps across iOS, macOS, and other Apple platforms. Major companies such as Google, GitHub, Amazon, and Dropbox maintain projects that could be at risk due to these flaws.

“Many of these unclaimed Pods are still in wide use. We found mentions of orphaned Pods in the documentation or terms of service documents of applications provided by Meta (Facebook, WhatsApp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more,” explained E.V.A Information Security researchers.

The potential consequences of these vulnerabilities are severe. Malicious actors could potentially access sensitive user information, including credit card details and medical records, leading to ransomware attacks, fraud, or corporate espionage.

Developers and organisations using CocoaPods, especially before October 2023, are advised to take immediate action:

Review dependency lists and validate checksums of third-party libraries.
Perform security scans to detect malicious code or suspicious changes.
Keep software updated and limit the use of orphaned or unmaintained packages.
Implement thorough security reviews of third-party code.
Verify that no orphaned Pods are in use.
Ensure third-party dependencies are actively maintained with clear ownership.

The CocoaPods team has been informed of these vulnerabilities and has since patched them. However, the incident serves as a stark reminder of the risks associated with relying heavily on open-source dependencies and the importance of maintaining vigilance in software supply chain security.

This discovery underscores the need for developers to remain aware of the potential consequences of integrating third-party code into their applications. As software supply chains become increasingly complex, insight into application code composition and ensuring the validity of open-source dependencies are paramount.

While there is no direct evidence of these vulnerabilities being exploited in the wild, the potential impact on millions of Apple devices worldwide necessitates a proactive approach to security. Developers are encouraged to implement the recommended mitigation strategies and stay informed about the security status of their dependency management tools.

(Photo by Mohamed M)

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: apple, cocoapods, coding, cyber security, cybersecurity, infosec, ios, mac, objective-c, programming, security, supply chain, swift, vulnerability