Skip to content

CocoaPods flaws risk supply chain attacks on thousands of apps

  • by
  • 4 min read

CocoaPods, an open-source dependency manager widely used in Swift and Objective-C projects, contained several critical vulnerabilities that could potentially impact thousands of applications and millions of Apple devices. These vulnerabilities tracked as CVE-2024-38368, CVE-2024-38366, and CVE-2024-38367, allow attackers to claim ownership and perform remote code execution (RCE) and zero-click account takeover.

CocoaPods manages dependencies in iOS and macOS development projects as it simplifies incorporating external libraries into applications. Many major companies rely on it for their projects, and the potential for affected end-user apps deployed on millions, if not billions, of devices is alarming.

Applications compromised by these vulnerabilities could grant attackers access to sensitive user information, including credit card details, medical records, and private materials. As per researchers, damages include ransomware attacks, fraud, blackmail, and corporate espionage, with severe legal and reputational risks for affected companies.

The first vulnerability, CVE-2024-38368, can be exploited by hackers to gain unauthorised ownership over orphaned pods. During a red team exercise, researchers identified that a 2014 migration left numerous CocoaPods packages orphaned, with their original owners unverified.

Trunk server’s app controller. | Source: E.V.A. Information Security

Attackers could exploit this by using a public API and an email address in the CocoaPods source code to claim these orphaned packages. This would allow them to replace the source with malicious content, potentially infecting any downstream applications that rely on these packages.

“Orphaned Pods are used as dependencies of many other packages available on CocoaPods. For example, we found mentions of orphaned Pods in the documentation or terms of service documents of applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more,” researchers observed. “Overall we found 685 Pods that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.”

Another critical vulnerability, CVE-2024-38366, was found in CocoaPods’ Trunk server’s email verification workflow. The issue lies in the email validation process during user registration. The server uses a third-party Ruby gem called ‘rfc-822’ to verify email addresses, including checking MX records.

Implementation of vulnerable methods in rfc-822. | Source: E.V.A. Information Security

The ‘host_mx’ method in the rfc-822 gen executes an Os command to check MX records without proper input sanitisation, making it vulnerable to command injection. Researchers found that attackers can exploit this flaw by registering with a specially crafted email address.

“If an unauthorised threat actor compromises the server, they could potentially dump all pod owners’ session tokens, poison client’s traffic or even shut down the server completely,” researchers warned.

The third vulnerability, CVE-2024-38367, involves the use of the X-Forwarded-Host-HTTP header. By spoofing this header, attackers could generate a session validation link pointing to a domain they control. This could be used to perform a zero-click account takeover by leveraging email security products that automatically scan and click on links to check for phishing attempts.

Session creation controller action implementation. | Source: E.V.A. Information Security

This flaw allowed multiple attackers to gain control over multiple CocoaPods accounts, posing a significant risk to the integrity of the packages hosted on the platform.

“Compromising a victim’s account will result in a full takeover of the CocoaPods owned by the account. The threat actor could manipulate pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem,” explain researchers. “Using this method, we managed to take over the owner accounts of some of the most popular CocoaPods packages.”

Researchers urge organisations and individuals to review dependency lists, validate checksums, perform periodic scans, update software, and limit the use of orphaned packages. Researchers also urge extra caution for developers who used CocoaPods before October 2023. Developers could synchronise the podfile.lock file across all developers to prevent automatic updates to potentially harmful versions and conduct a thorough check on internally developed pods hosted in CocoaPods.

In the News: Chinese cybercrooks exploit Cisco switches to deliver malware

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>