CocoaPods flaws leave iOS, macOS apps open to supply chain attacks

A newly patched vulnerability in a software dependency management tool used by app developers for Apple’s iOS and MacOS platforms, could have opened the door for attackers to inject malicious code into many of the most popular apps on those platforms.

Another security weakness in the CocoaPods dependency manager created a way for hackers to launch supply chain attacks, security researchers at EVA Information Security warned on Monday.

Developers who rely on CocoaPods in recent years should ensure the integrity of open source dependencies in their code in response to these security vulnerabilities, EVA advises.

CocoaPods is an open source dependency manager for Swift and Objective-C projects. Software developers use technology to ensure the integrity and authenticity of the components they use by ensuring that checks and digital signatures of packages are present and correct.

Orphan pods

Flaws in the CocoaPods ecosystem undermine this process by making it possible for trusted parties to claim ownership over thousands of unclaimed “pods” code. These pods may be used to inject malicious code as part of a supply chain attack.

These unwanted pods are from a migration process 10 years ago that left thousands of orphaned packages in the system. Although orphaned, many of these software packages were still used by other applications, EVA found.

“Using the public API and the email address that was available in the CocoaPods source code, an attacker could claim ownership of any of these packages, which would allow the attacker to replace the original source code with their own malicious code,” EVA wrote. .

A publicly available API allowed anyone to search for orphans without an authentication process.

By making a curl request to a publicly available API, and providing an unclaimed target pod name, a potential attacker can search for an orphaned pod.

“An attacker can spoof the source code or insert malicious content into a newly searched Pod,” EVA warns. “This pod will continue to infect more people downstream.”

EVA said that references to orphans appeared in application documents provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); and on TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

Security researchers found 685 Pods that had an apparent dependency using an orphaned iPod, about a fraction of the actual number when proprietary codes are factored into the calculation.

Reef Spektor, VP research at EVA Information Security, told CSOonline: “The vulnerability we discovered in CocoaPods has been around for the last decade. We won’t know for sure if the vulnerability has been exploited, but we do know that if malicious actors were to launch a supply chain attack, the impact could be huge, affecting consumers in the Apple ecosystem and businesses that develop applications. “

Trunk phone

A different vulnerability, CVE-2024-38368, created a way for an attacker to gain access to the CocoaPods ‘Trunk’ server.

The attack was possible because “an insecure email authentication workflow could be abused to execute malicious code on the CocoaPods ‘Trunk’ server” allowing an attacker to control or reverse downloaded packages, according to Israeli security experts.

“By corrupting the HTTP header and using poorly configured email security tools, attackers can attack by clicking on something that gives them access to the developer’s account authentication token,” EVA warns. “This will allow attackers to change packages on the CocoaPods server and lead to supply chain attacks and zero-day attacks.”

EVA Spektor noted that supply chain attacks are a “permanent threat” to anyone who relies on third-party software. “The offensive elements of supply chain attacks are becoming increasingly sophisticated as technology advances,” according to Spektor.

Repair

EVA informed CocoaPods of the problems, which have since been removed, prompting security to go public with their findings. CocoaPods developers did not immediately respond to CSOonline’s request for comment.

Developers are advised to review the dependency lists and package managers used in their applications, and verify the test values ​​of third-party libraries to respond to vulnerabilities.

Common best practice guidelines include periodic scanning for malicious code or suspicious changes. Reducing the use of orphaned or unmaintained packages is also a good idea.


Source link